Description

It is possible to upload HTML files containing JavaScript Payload to the FileStorage as a low-privilege user with the corresponding permissions. When opening the HTML file via an indirect link, the JavaScript Code is executed.

Proof of Concept

Steps to reproduce:

1. Login to the backend as admin
2. Go to List -> File Storage -> fileadmin. Make sure that the `is publicly available` flag is not set (Screenshot 1)
3. Go to Filelist. Create a Folder `xss` (Screenshot 2)
4. Go to List. Click on the `+` and select Filemount. Create a new Filemount with Label `xss`, Storage `fileadmin`, and Folder `/xss/` (Screenshot 3)
5. Go to Backend Users and Select `Backend User Groups`. Create a new group called `XSSGroup` and enable the File->Filelist module in the Access Lists Tab and in the Mounts Tab Select the `xss` mount (Screenshot 4)
6. Go to Backend Users and Select `Backend Users`. Create a new user called `xssuser` and select the XSSGroup. Make sure that the user is enabled (Screenshot 5)
7. In a private browser window, login as the xssuser. Click on File -> Filelist and upload a html file containing the payload to the xss folder (Screenshot 6)
8. Right click on the Show button and copy the link
9. Back in the admin session, open the copied link and observe that the JavaScript Payload is executed (Screenshot 7)

PoC Payload:

<html>
<script>alert(document.location)</script>
</html>

Screenshot 1

Screenshot 2

Screenshot 3

Screenshot 4

Screenshot 5

Screenshot 6

Screenshot 7