Impact

Files can be uploaded for Engagements, Tests and Findings. If such a file contains an XSS injection, this injection is executed when viewing the file.

Patches

The issue has been patched with release 2.6.0. Now the the HTTP header Content-Disposition: attachment is used and the file gets downloaded as an attachment rather than viewing it directly in th browser.

For more information

If you have any questions or comments about this advisory:

• Visit our #defectdojo Slack channel via: https://owasp-slack.herokuapp.com/
• For sensitive issues, follow the security advisory process https://github.com/DefectDojo/django-DefectDojo/security/policy (report on HackerOne)