GHSA-x27v-f838-jh93

Suggest an improvement
Source
https://github.com/advisories/GHSA-x27v-f838-jh93
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-x27v-f838-jh93/GHSA-x27v-f838-jh93.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-x27v-f838-jh93
Aliases
Related
Published
2025-04-22T16:55:13Z
Modified
2025-05-27T17:19:00Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API
Details

Impact

The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand.

The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST API are typically accessible only to authenticated users. Additionally, the /files endpoint in Jmix requires specific permissions and is disabled by default.

Patches

The problem has been fixed in Jmix 1.6.2+ and 2.4.0+.

Workarounds

A workaround for those who are unable to upgrade: Disable Files Endpoint in Jmix Application.

Database specific 
{
    "github_reviewed_at": "2025-04-22T16:55:13Z",
    "severity": "MODERATE",
    "nvd_published_at": "2025-04-22T18:15:59Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Maven / io.jmix.rest:jmix-rest

Package

Name
io.jmix.rest:jmix-rest
View open source insights on deps.dev
Purl
pkg:maven/io.jmix.rest/jmix-rest

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.6.2

Maven / io.jmix.rest:jmix-rest

Package

Name
io.jmix.rest:jmix-rest
View open source insights on deps.dev
Purl
pkg:maven/io.jmix.rest/jmix-rest

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.4.0