| عنوان | LangGenius Dify v1.13.3 Cross-Site Scripting (CWE-79) |
|---|
| الوصف |
# Technical Details
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the `ImagePreview` component of the Dify web frontend application.
When a user clicks "Open in New Tab" to view a Base64 encoded image in a new window, the application dynamically constructs an HTML document for the new tab. The `title` parameter, which is directly derived from the image's original filename, is interpolated into an HTML string using template literals and rendered via `document.write()` without any HTML entity encoding or sanitization.
# Vulnerable Code
File: web/app/components/base/image-uploader/image-preview.tsx
Method: openInNewTab
Why: In `openInNewTab()`, if the URL is a base64 string (`data:image`), the application spawns a new window and calls `win?.document.write('<img src="${url}" alt="${title}" />')`. Because `title` stems from the user-controlled filename, an attacker can input double quotes (`"`) and closing tags (`>`) to break out of the `alt` attribute context and inject an arbitrary `<script>` payload.
# Reproduction
1. Connect to the Dify application and upload an image file, but intercept the upload request (or rename the file locally) to give it a malicious filename, such as: `"><script>alert("XSS")</script><img alt=".png`
2. Send this file/attachment in a conversation or upload context where another user (or administrator) will view it.
3. The Dify frontend API stores the filename and propagates it to the `file-item` component, which hands it to `ImagePreview` as the `title` prop.
4. The victim clicks the "Open in New Tab" button on the image.
5. A new window opens and `document.write` writes the malicious script. The JavaScript alert or payload immediately executes within the context of the Dify frontend application.
# Impact
- Session Hijacking (The attacker's JavaScript can steal authentication tokens or cookies).
- Account Takeover (The script can execute administrative actions on behalf of the victim).
- Data Theft (Accessing and exfiltrating prompts, knowledge bases, or sensitive data visible to the victim). |
|---|
| المصدر | ⚠️ https://gist.github.com/chenhouser2025/a8ac169dad5cf84811cf9c0505491ea8 |
|---|
| المستخدم | Eric-g (UID 96879) |
|---|
| ارسال | 29/03/2026 06:04 AM (23 أيام منذ) |
|---|
| الاعتدال | 19/04/2026 06:18 PM (22 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 358254 [langgenius dify حتى 1.13.3 ImagePreview image-preview.tsx openInNewTab filename البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|