Compliance Impact

This vulnerability allows authenticated users to upload executable web content that can lead to persistent stored cross-site scripting (XSS) attacks affecting all application end users.

Such attacks can result in session cookie theft, full account takeover, and workspace takeover, which compromises the confidentiality and integrity of user data.

Because of these impacts on data confidentiality and user account security, the vulnerability could negatively affect compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Budibase, an open-source low-code platform, prior to version 3.38.2. The file upload endpoint POST /api/attachments/process does not properly enforce restrictions on active content for authenticated users. Specifically, checks for dangerous file extensions are only applied conditionally based on whether the user is public or the environment is self-hosted. As a result, any authenticated builder can upload executable web content such as SVG files containing inline script tags, HTML pages with JavaScript, or JavaScript modules. These files are stored with their correct MIME types in the object store (MinIO/S3). When other users open the resulting signed URL, the browser executes the malicious payload, leading to persistent stored cross-site scripting (XSS) affecting all application end users.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows authenticated users to upload malicious executable web content that can be executed by other users' browsers when accessing the stored files. This results in persistent stored cross-site scripting (XSS), which can lead to unauthorized actions, data theft, session hijacking, or other malicious activities affecting all users of the application.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Budibase to version 3.38.2 or later, where the issue is fixed.

Until the upgrade is applied, restrict authenticated builder users from uploading executable web content such as SVG files with inline scripts, HTML pages with JavaScript, and .js modules.

Additionally, review and tighten file upload endpoint controls and consider disabling or limiting the use of signed URLs that allow execution of uploaded content.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and inspecting uploads to the file upload endpoint POST /api/attachments/process in Budibase versions prior to 3.38.2. Specifically, look for authenticated users uploading files with dangerous extensions such as HTML, SVG (with inline script tags), JavaScript (.js), or PHP files that should normally be restricted.

To detect potential exploitation, you can search your object store (MinIO/S3) for files with these extensions or MIME types that are not expected, especially those containing executable web content.

Suggested commands include:

• Using AWS CLI or MinIO client to list suspicious files by extension or MIME type, for example: `aws s3 ls s3://your-bucket/ --recursive | grep -E '\.(html|svg|js|php)$'`
• Downloading and inspecting suspicious files for embedded scripts, e.g., `aws s3 cp s3://your-bucket/path/to/file.svg ./` followed by manual or automated scanning for `<script>` tags.
• Monitoring HTTP POST requests to /api/attachments/process endpoint in your application logs or network traffic for uploads of these file types by authenticated users.

Useful 0 Not Useful 0