제출 #792242: LangGenius Dify v1.13.3 Cross-Site Scripting (CWE-79)정보

제목	LangGenius Dify v1.13.3 Cross-Site Scripting (CWE-79)
설명	# Technical Details A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the `ImagePreview` component of the Dify web frontend application. When a user clicks "Open in New Tab" to view a Base64 encoded image in a new window, the application dynamically constructs an HTML document for the new tab. The `title` parameter, which is directly derived from the image's original filename, is interpolated into an HTML string using template literals and rendered via `document.write()` without any HTML entity encoding or sanitization. # Vulnerable Code File: web/app/components/base/image-uploader/image-preview.tsx Method: openInNewTab Why: In `openInNewTab()`, if the URL is a base64 string (`data:image`), the application spawns a new window and calls `win?.document.write('<img src="${url}" alt="${title}" />')`. Because `title` stems from the user-controlled filename, an attacker can input double quotes (`"`) and closing tags (`>`) to break out of the `alt` attribute context and inject an arbitrary `<script>` payload. # Reproduction 1. Connect to the Dify application and upload an image file, but intercept the upload request (or rename the file locally) to give it a malicious filename, such as: `"><script>alert("XSS")</script><img alt=".png` 2. Send this file/attachment in a conversation or upload context where another user (or administrator) will view it. 3. The Dify frontend API stores the filename and propagates it to the `file-item` component, which hands it to `ImagePreview` as the `title` prop. 4. The victim clicks the "Open in New Tab" button on the image. 5. A new window opens and `document.write` writes the malicious script. The JavaScript alert or payload immediately executes within the context of the Dify frontend application. # Impact - Session Hijacking (The attacker's JavaScript can steal authentication tokens or cookies). - Account Takeover (The script can execute administrative actions on behalf of the victim). - Data Theft (Accessing and exfiltrating prompts, knowledge bases, or sensitive data visible to the victim).
원천	⚠️ https://gist.github.com/chenhouser2025/a8ac169dad5cf84811cf9c0505491ea8
사용자	Eric-g (UID 96879)
제출	2026. 03. 29. AM 06:04 (23 날 ago)
모더레이션	2026. 04. 19. PM 06:18 (22 days later)
상태	수락
VulDB 항목	358254 [langgenius dify 까지 1.13.3 ImagePreview image-preview.tsx openInNewTab filename 크로스 사이트 스크립팅]
포인트들	20

◂ 이전 개요 다음 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!