-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.haulmont.addon.restapi:restapi-rest-api | maven | < 7.2.7 | 7.2.7 |
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability description states that the /files endpoint can be manipulated to return Content-Type: text/html if the filename ends with .html, leading to XSS. The provided commit b3d599f6657d7e212fdb134a61ab5e0888669eb1 patches this vulnerability.
The commit modifies FileDownloadController.java. Specifically, the downloadFile method is altered. A new method, resolveAttachmentValue, is introduced, and downloadFile now calls it to determine if a file should be served as an attachment or inline. The resolveAttachmentValue method checks the file extension against a configurable list of allowed inline extensions (inlineEnabledFileExtensions from RestApiConfig.java, also modified in the patch).
The downloadFile method is identified as the vulnerable function because it was the one directly responsible for serving the file and, prior to the patch, its logic for setting HTTP headers (like Content-Disposition and Content-Type) allowed HTML files to be rendered inline by the browser. The patch changes this behavior within downloadFile by incorporating the stricter logic from resolveAttachmentValue.
The other modified/added functions (resolveAttachmentValue in FileDownloadController.java and getInlineEnabledFileExtensions in RestApiConfig.java) are part of the mitigation, not the vulnerable code itself. The vulnerability existed in the downloadFile method's previous behavior.
Ongoing coverage of React2Shell