Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictio…

Budibase open-source low-code platform contains a vulnerability in versions prior to 3.38.2 where the file upload endpoint does not enforce active-content restrictions for authenticated users. Authenticated builders can upload executable web content including SVG files with inline script tags, HTML pages with JavaScript, and JS modules. These files are stored in object storage with correct MIME types, and when accessed via signed URLs, browsers execute the malicious payload. This results in persistent stored XSS affecting all application end users. The vulnerability has been fixed in version 3.38.2.