CVE-2023-37658

Name of the Vulnerable Software and Affected Versions fast-poster version 2.15.0

Description The issue concerns a Cross Site Scripting (XSS) problem. Specifically, it involves the upload of files, where the check for image files is performed based on binary data but does not strictly verify the file suffix. This weakness is exploited at the "/server/fast.py" endpoint, particularly through the ApiUploadHandler.post function, leading to stored XSS. The estimated number of potentially affected devices worldwide is not provided.

Recommendations For fast-poster version 2.15.0, as a temporary workaround, consider disabling the file upload functionality at the /server/fast.py endpoint, specifically through the ApiUploadHandler.post function, until a patch is available. Restrict access to the ApiUploadHandler.post function to minimize the risk of exploitation. Avoid using the file upload feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.