Отправить #792242: LangGenius Dify v1.13.3 Cross-Site Scripting (CWE-79)Информация

НазваниеLangGenius Dify v1.13.3 Cross-Site Scripting (CWE-79)
Описание # Technical Details A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the `ImagePreview` component of the Dify web frontend application. When a user clicks "Open in New Tab" to view a Base64 encoded image in a new window, the application dynamically constructs an HTML document for the new tab. The `title` parameter, which is directly derived from the image's original filename, is interpolated into an HTML string using template literals and rendered via `document.write()` without any HTML entity encoding or sanitization. # Vulnerable Code File: web/app/components/base/image-uploader/image-preview.tsx Method: openInNewTab Why: In `openInNewTab()`, if the URL is a base64 string (`data:image`), the application spawns a new window and calls `win?.document.write('<img src="${url}" alt="${title}" />')`. Because `title` stems from the user-controlled filename, an attacker can input double quotes (`"`) and closing tags (`>`) to break out of the `alt` attribute context and inject an arbitrary `<script>` payload. # Reproduction 1. Connect to the Dify application and upload an image file, but intercept the upload request (or rename the file locally) to give it a malicious filename, such as: `"><script>alert("XSS")</script><img alt=".png` 2. Send this file/attachment in a conversation or upload context where another user (or administrator) will view it. 3. The Dify frontend API stores the filename and propagates it to the `file-item` component, which hands it to `ImagePreview` as the `title` prop. 4. The victim clicks the "Open in New Tab" button on the image. 5. A new window opens and `document.write` writes the malicious script. The JavaScript alert or payload immediately executes within the context of the Dify frontend application. # Impact - Session Hijacking (The attacker's JavaScript can steal authentication tokens or cookies). - Account Takeover (The script can execute administrative actions on behalf of the victim). - Data Theft (Accessing and exfiltrating prompts, knowledge bases, or sensitive data visible to the victim).
Источник⚠️ https://gist.github.com/chenhouser2025/a8ac169dad5cf84811cf9c0505491ea8
Пользователь
 Eric-g (UID 96879)
Представление29.03.2026 06:04 (23 дни назад)
Модерация19.04.2026 18:18 (22 days later)
Статуспринято
Запись VulDB358254 [langgenius dify до 1.13.3 ImagePreview image-preview.tsx openInNewTab filename межсайтовый скриптинг]
Баллы20

ПредыдущийОбзорДалее

Want to stay up to date on a daily basis?

Enable the mail alert feature now!