CVE-2024-27306
XSS vulnerability vulnerability in aiohttp (PyPI)
What is CVE-2024-27306 About?
A Cross-Site Scripting (XSS) vulnerability exists on index pages for static file handling when `web.static(..., show_index=True)` is used. This allows an attacker to inject arbitrary client-side scripts, potentially leading to session hijacking, defacement, or redirection, if they can upload files with malicious filenames. Exploitation is possible if the application allows untrusted file uploads and serves an index page, making it moderately easy to exploit.
Affected Software
Technical Details
The XSS vulnerability manifests when aiohttp's web.static function is configured with show_index=True, causing it to generate index pages for static directories. The core of the problem is that these generated index pages do not properly escape filenames when displaying them. If an attacker can upload a file with a specially crafted filename (e.g., one containing <script> tags or HTML event handlers like "onload="alert(1)") to the static directory, the server will embed this malicious filename directly into the HTML of the index page without escaping. When a user then navigates to this index page, their browser will execute the injected script, leading to a Cross-Site Scripting attack within the user's browser context.
What is the Impact of CVE-2024-27306?
Successful exploitation may allow attackers to execute arbitrary client-side scripts in the context of the user's browser, potentially leading to credential theft, session hijacking, defacement of web pages, or redirection to malicious sites.
What is the Exploitability of CVE-2024-27306?
Exploiting this XSS vulnerability requires two main conditions: the web.static function must be used with show_index=True, and an attacker must have the ability to upload files with arbitrary filenames to the static directory served by aiohttp. The complexity is moderate, as it involves crafting a malicious filename and successfully uploading it. There are no direct authentication requirements for the XSS itself, but the ability to upload files usually implies some level of access or a separate vulnerability allowing file upload. This is typically a remote attack. There are no specific privilege requirements for the injection, however, an attacker would need file write permissions to the static directory. The risk factors that increase exploitation likelihood include applications that allow unauthenticated or poorly validated file uploads to directories served by web.static with index listing enabled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-27306?
About the Fix from Resolved Security
Available Upgrade Options
- aiohttp
- <3.9.4 → Upgrade to 3.9.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/aio-libs/aiohttp
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIVBMPEY7WWOFMC3CWXFBRQPFECV4SW3
- https://nvd.nist.gov/vuln/detail/CVE-2024-27306
- https://github.com/aio-libs/aiohttp/pull/8319/files
- https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EXRGTN2WG7VZLUZ7WOXU5GQJKCPPHKP/
- https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
What are Similar Vulnerabilities to CVE-2024-27306?
Similar Vulnerabilities: CVE-2023-51610 , CVE-2023-48767 , CVE-2023-48616 , CVE-2023-46927 , CVE-2023-46726
