| 제목 | assafelovic gpt-researcher 3.4.3 Stored Cross-Site Scripting (XSS) |
|---|
| 설명 | GPT Researcher v3.4.3 and earlier versions are vulnerable to Stored Cross-Site Scripting (XSS) through the unauthenticated Report API. An attacker can inject arbitrary HTML and JavaScript into research reports via `POST /api/reports` or `PUT /api/reports/{id}` without authentication. The injected payload is stored server-side and rendered unsanitized in the NextJS frontend when any user navigates to the report URL (`/research/{id}`). The NextJS frontend uses `remark-html` with `sanitize: false` and renders the output via React's `dangerouslySetInnerHTML`, executing the attacker's JavaScript in the victim's browser. |
|---|
| 원천 | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1693 |
|---|
| 사용자 | Yu-Bao (UID 96702) |
|---|
| 제출 | 2026. 03. 23. AM 03:23 (24 날 ago) |
|---|
| 모더레이션 | 2026. 04. 05. PM 09:12 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 355418 [assafelovic gpt-researcher 까지 3.4.3 Report API backend/server/app.py 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|