Summary by anthonyjsaab
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the GLOBE platform due to improper validation of uploaded files.
The application allows users to upload HTML files containing JavaScript, which are then served with a text/html content type. When accessed, these files execute within the context of the globe.gov domain.
This issue could allow an attacker to craft a malicious file and share a trusted .gov link that executes arbitrary JavaScript in victims’ browsers.
The vulnerability highlights the importance of strict file type validation and secure content handling when implementing file upload functionality.