QuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

QuickDrop 跨站脚本漏洞

QuickDrop是Rostislav个人开发者的一个自托管匿名文件分享应用，支持分块上传与加密存储。 QuickDrop 1.5.3之前版本存在跨站脚本漏洞，该漏洞源于文件预览端点存在存储型跨站脚本漏洞，允许上传包含JavaScript有效载荷的特制SVG文件，可能导致脚本在应用程序环境中执行。

N/A

N/A