The previewServlet in efw4.X returns uploaded files using the MIME type inferred from the file extension with no content sanitization or security headers. When a file with a .html, .htm, or .svg extension contains embedded JavaScript, that code is served as text/html or image/svg+xml and in the victim’s browser within the application’s origin. This allows an attacker to run arbitrary JavaScript against users of the web application, facilitating the theft of session data, credential phishing, or other malicious actions. The flaw is classified as a stored cross‑site scripting vulnerability (CWE‑80) and carries a CVSS score of 4.6.

efwGrp:efw4.X framework, specifically all releases earlier than 4.08.010, is impacted by this issue. Versions 4.08.010 and later contain the remediation.

The CVSS score of 4.6 denotes moderate severity, and the EPSS score is not available, so the likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. Attackers would need the ability to upload or modify a file that will be served by previewServlet, typically requiring a user with upload permissions or administrative access. Once the malicious file is accessible, any authenticated or unauthenticated user browsing that file will have the embedded JavaScript executed under the domain of the application, enabling a range of client‑side attacks. Because the vector relies on file upload and file‑preview functionality, the exposure is limited to environments that expose previewServlet to users and allow the upload of the offending file types.