Name of the Vulnerable Software and Affected Versions:

ZOO-Project versions prior to commit 7a5ae1a

Description:

The ZOO-Project Web Processing Service (WPS) Server contains a Cross-Site Scripting (XSS) vulnerability in its EchoProcess service. The vulnerability exists because the EchoProcess service directly reflects user input in its output without proper sanitization when handling complex inputs. The service accepts various input formats including XML, JSON, and SVG, and returns the content based on the requested MIME type. When processing SVG content and returning it with the image/svg+xml MIME type, the server fails to sanitize potentially malicious JavaScript in attributes like `onload`, allowing arbitrary JavaScript execution in the victim's browser context.

Recommendations:

For ZOO-Project versions prior to commit 7a5ae1a, update to a version that includes the fix committed in 7a5ae1a to resolve the issue.

As a temporary workaround, consider disabling the EchoProcess service or restricting the handling of SVG content to minimize the risk of exploitation.

Avoid using the EchoProcess service with SVG inputs until the issue is resolved.