जमा करें #852825: AstrBotDevs AstrBot 4.25.2 Cross-site Scripting (CWE-79)जानकारी

शीर्षकAstrBotDevs AstrBot 4.25.2 Cross-site Scripting (CWE-79)
विवरण# Technical Details A template/script injection vulnerability exists in the `Star.text_to_image` and `NetworkRenderStrategy.render` methods in `astrbot/core/star/base.py` and `astrbot/core/utils/t2i/network_strategy.py` of AstrBot. The application fails to sanitize untrusted user input before rendering it in bundled HTML templates for the text-to-image (T2I) feature. # Vulnerable Code File: astrbot/core/utils/t2i/template/base.html Method: [Template Rendering] Why: The default bundled template embeds the text using `{{ text | safe }}` inside a `<textarea>`, which disables HTML escaping. An attacker can use `</textarea><script>...</script>` to break out of the textarea and execute arbitrary scripts. # Reproduction 1. Ensure the T2I feature is enabled using the remote rendering strategy. 2. Supply untrusted text containing a payload like: `</textarea><script>alert('xss')</script>` directly into the chat or message flow. 3. Observe that the payload breaks out of the textarea during Markdown-to-`innerHTML` rendering and executes as a script in the remote T2I renderer context. # Impact - Inject script/HTML into the remote T2I renderer context. - Tamper with or falsify rendered output images. - Potentially expand impact depending on the renderer’s capabilities and isolation boundaries.
स्रोत⚠️ https://gist.github.com/YLChen-007/2abcecece4369c46cc8405e597c0528b
उपयोगकर्ता Eric-d (UID 96861)
सबमिशन09/06/2026 10:51 AM (1 महीना पहले)
संयम17/07/2026 03:39 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि379788 [AstrBotDevs AstrBot तक 4.25.2 T2I Feature base.py Star.text_to_image/NetworkRenderStrategy.render क्रॉस साइट स्क्रिप्टिंग]
अंक20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!