Steps to Reproduce
Executed Cross-Site Scripting in the frontend by the Chrome PDF viewer
This issue exists due to insufficient input filtering of the files uploaded by the “Assets Upload” function. In order to mitigate the issue, we recommend applying input filtering to all uploaded files in the entire application to ensure that only valid content is processed (this means input filtering for the fields as well as for the field values). We also recommend ensuring the library used for rendering is robust, as it will be parsing potentially malicious content on the server side. Additionally, setting up a sandboxed environment could further help to reduce the attack surface.
Fix/ Producer Statement
The issue was reported to Marmind. The identified business threat was evaluated and does not pose a high security threat to the Marmind users.
Credit for finding and reporting the issue:
• Evgeni Sabev (Deloitte)