CVE-2021-3619: 
Velociraptor vulnerability analysis and mitigation

Rapid7 Velociraptor version 0.5.9 and prior was affected by a post-authentication persistent cross-site scripting (XSS) vulnerability (CVE-2021-3619). The vulnerability was discovered in June 2021 and fixed in version 0.6.0. The issue allowed authenticated users to abuse MIME filetype sniffing to embed executable code through malicious file uploads (CVE Mitre).

The vulnerability stemmed from the application's use of http.FileServer, which had two significant issues: it performed MIME type sniffing when serving files, potentially leading to stored XSS attacks, and it allowed directory listing by generating index files. The vulnerability was classified as CWE-79 (Cross-site Scripting) (Github PR).

The vulnerability could allow authenticated users to execute malicious code through file uploads. However, the impact was somewhat limited as login rights to Velociraptor are typically restricted to trusted and verified users with IT security backgrounds (CVE Mitre).

The vulnerability was addressed in Velociraptor version 0.6.0 by forcing 404 on directory access and enforcing binary/octet-stream MIME type on all items in the notebook. Users should upgrade to version 0.6.0 or later to resolve this security issue (Github Release).