Critical

chuanhuchatgpt

Stored XSS via Chat History Upload

A Stored XSS vulnerability was found in version 20240410 of the software, allowing attackers to inject malicious scripts into chat history files. This issue has not yet been patched.

Available publicly on Jul 11 2024

9.3

Threat Overview

The vulnerability allows an attacker to inject malicious JavaScript code into a chat history file. When a victim uploads this file, the script executes in the victim's browser, potentially leading to data theft, session hijacking, malware distribution, and phishing attacks. The vulnerability is particularly dangerous because it leverages the trust users place in the chat application to execute harmful actions.

Attack Scenario

An attacker creates a malicious chat history file containing JavaScript code. The attacker then convinces a victim to upload this file to the chat application. Once uploaded, the malicious script executes in the victim's browser, allowing the attacker to steal sensitive information, hijack sessions, or distribute malware.

Who is affected

Users of the chat application who upload chat history files are affected. This includes any user who can be tricked into uploading a malicious file, potentially leading to the execution of harmful scripts in their browser.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.