CVE-2022-21650 is a stored cross-site scripting (XSS) vulnerability identified in Convos, an open-source multi-user chat application that operates within web browsers. The vulnerability arises due to improper input validation and neutralization during web page generation (CWE-79). Specifically, Convos restricts the use of SVG files in its chat window but allows uploading files with an .html extension. An attacker can exploit this by uploading an SVG file renamed with an .html extension, effectively bypassing the upload filter. Once uploaded, the malicious file is stored on the server, and the XSS payload is triggered when any user views the file in the chat interface. This stored XSS enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, credential theft, or further exploitation within the application. The vulnerability affects Convos versions from 6.48 up to, but not including, 6.52. Although no known exploits have been reported in the wild, the flaw poses a significant risk due to the nature of stored XSS attacks, which can impact all users who access the malicious content. The vulnerability was publicly disclosed on January 4, 2022, and users are advised to update to versions beyond 6.52 where the issue is presumably fixed. No official patch links were provided in the source information.

For European organizations using Convos as part of their internal or external communication infrastructure, this vulnerability could lead to unauthorized execution of malicious scripts within user browsers. The impact includes potential compromise of user credentials, session tokens, and sensitive chat data, undermining confidentiality and integrity. Additionally, attackers could leverage the XSS to perform phishing attacks, spread malware, or pivot to other internal systems. Given that Convos is a chat platform, the availability impact is limited but could be indirectly affected if the application is taken offline to remediate or if users lose trust in the platform. The risk is heightened in environments where Convos is used for sensitive communications, such as governmental, financial, or healthcare sectors prevalent in Europe. The stored nature of the XSS means that once a malicious file is uploaded, all users accessing the chat are exposed, increasing the attack surface. While no active exploitation is known, the ease of bypassing upload filters and the lack of user interaction required beyond viewing the file make this a credible threat.

1. Immediate upgrade of Convos installations to version 6.52 or later, where the vulnerability is addressed. 2. Implement strict server-side validation and sanitization of uploaded files, ensuring that file content matches the declared extension and disallowing HTML or SVG content in uploads unless explicitly required and safely handled. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the impact of potential XSS payloads. 4. Regularly audit and monitor uploaded files for suspicious content, possibly integrating automated scanning tools that detect embedded scripts in files. 5. Educate users about the risks of interacting with untrusted files and encourage reporting of suspicious content. 6. Consider disabling file uploads entirely if not essential, or restrict uploads to trusted users only. 7. Implement web application firewalls (WAF) with rules tailored to detect and block XSS attack patterns specific to Convos. 8. Conduct periodic security assessments and penetration testing focusing on input validation and file upload mechanisms.