Attackers can exploit a stored XSS flaw in the RustFS management console to hijack administrator sessions and gain complete control over the distributed storage system.

The vulnerability exists in the PDF preview logic of the management console. By bypassing this logic, an attacker can store a malicious payload that executes arbitrary JavaScript in the browser of any administrator who views it, enabling the theft of credentials from localStorage.

Compromise of the RustFS Console grants an attacker full access to the distributed object storage system. This could lead to massive data breaches, unauthorized data deletion, or the injection of malicious files into the storage network. The CVSS score of 9.0 reflects this high potential for system-wide impact.

Immediate Action: Update RustFS to version 1.0.0-alpha.83 to resolve the XSS vulnerability and secure the PDF preview component.

Proactive Monitoring: Monitor the RustFS Console for unusual administrative logins and audit the storage system for any unauthorized file uploads or configuration changes.

Compensating Controls: Implement a Content Security Policy (CSP) that restricts the execution of inline scripts and prevents data from being sent to unauthorized external domains.

Public Exploit Available: No

Storage infrastructure is a primary target for ransomware and data exfiltration. We strongly urge administrators to apply the 1.0.0-alpha.83 update immediately and review console access logs for any signs of session hijacking.