By Rodolfo Tavares

As part of the research activities that are also developed within the Tempest Security Intelligence Technical Consulting team, it was possible to identify and report a vulnerability that can be exploited from Cross-Site Scripting (XSS) attacks in version 3.4.15. of the  Liquid Files proprietary solution which was recognized and publicly reported by MITRE through CVE-2021-30140.

Liquid Files is a Virtual Appliance (pre-configured software including operating system) that can be installed in VMware, Microsoft Hyper-V, Xen environments, and even in its own private space in cloud environments such as Amazon AWS, Microsoft Azure Cloud or if preferred, on a dedicated server.

This CVE-2021-30140 depicts that LiquidFiles 3.4.15 stored XSS via the “send email” functionality when emailing a file to an administrator. When a file has no extension and contains malicious HTML/JavaScript content (such as SVG with HTML content), the payload is executed with one click.

The link provided below contains references to consult CVE-2021-30140.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30140