Summary A security vulnerability has been identified in podinfo, a popular web application used for demonstrating Kubernetes microservices. The application's /store feature allows unauthenticated users to upload and host arbitrary HTML and JavaScript content. This leads to Stored Cross-Site Scripting (XSS) on any domain where podinfo is deployed. Vulnerability Details Software: podinfo Vulnerability Type: CWE-434 (Unrestricted Upload of File with Dangerous Type) / CWE-79 (Stored XSS) Affected Endpoint: /store Impact: High (Allows for session hijacking, phishing, and domain defacement) Description The /store endpoint is designed to cache and retrieve data. However, the application accepts arbitrary payloads via POST requests and serves them back via GET requests without sufficient sanitization or restrictive security headers (such as Content-Security-Policy). Because the server renders the body of the POST request as HTML, an attacker can inject tags. When a victim visits the generated URL, the script executes within the context of the podinfo domain. Proof of Concept (PoC) 1. Submit Malicious Payload: Send a POST request to the /store endpoint with HTML content. 2. Receive Asset Hash The server responds with a JSON object containing a hash: Execution: Navigate to the following URL in a browser: https://target-domain/store/8c6a66132b08e56549273609d9c3f7d16cc8341b The browser will render the stored payload as an HTML document, executing the embedded JavaScript immediately within the context of the target-domain. Real-World Impact This vulnerability is particularly dangerous when podinfo is deployed on sensitive infrastructure. During research, multiple instances were found exposed on high-trust domains. Attackers can use these trusted subdomains to host malicious phishing pages or steal administrative credentials from cluster operators. Mitigation Disable the storage feature if not required. Implement a strict Content-Security-Policy (CSP). Enforce Content-Type: text/plain or application/octet-stream for all data served from the /store endpoint.