| タイトル | Weights and Biases OpenUI <= 1.0 (commit f9d8f0e) Cross-Site Scripting (CWE-79) |
|---|
| 説明 | # Technical Details
A Stored XSS and Arbitrary Code Execution vulnerability exists in the annotator iframe (`frontend/public/annotator/index.html`) of Weights and Biases OpenUI.
LLM-generated HTML and JavaScript responses are rendered directly into a sandboxed iframe without any sanitization. The iframe sandbox configuration (allow-same-origin allow-scripts) negates isolation — injected scripts get full access to parent.document.cookie and parent.localStorage. The annotator uses wrapper.innerHTML = event.data.html (line 566) and dynamically creates script elements (lines 591-598). No DOMPurify or origin validation exists. A malicious or compromised LLM provider can achieve session hijacking and account takeover.
# Vulnerable Code
File: frontend/public/annotator/index.html (lines 566, 591-598, 515)
Method: Window message event handler
Why: wrapper.innerHTML assigns unsanitized HTML. Script elements are dynamically created and appended to document.body. The iframe uses allow-same-origin + allow-scripts (documented anti-pattern). No event.origin check on the message handler.
# Reproduction
1. Run a malicious LLM server that returns HTML with <script> tags in SSE stream.
2. Configure OpenUI to use the malicious server via OPENAI_BASE_URL.
3. Submit any prompt — injected script executes in iframe, accessing parent.document.cookie.
# Impact
- Session hijacking via parent.document.cookie access.
- Data exfiltration from parent.localStorage and sessionStorage.
- Persistent compromise: malicious UIs stored and re-rendered on revisit. |
|---|
| ソース | ⚠️ https://gist.github.com/YLChen-007/899f210b2d78e163d13561bb7f49b4da |
|---|
| ユーザー | Eric-b (UID 96354) |
|---|
| 送信 | 2026年03月12日 02:52 (18 日 ago) |
|---|
| モデレーション | 2026年03月27日 14:48 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 353882 [wandb OpenUI 迄 1.0 Window Message Event index.html クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|