Stored XSS Vulnerability in Chat Functionality
A stored XSS vulnerability was discovered in the chat functionality of the application, allowing attackers to inject malicious scripts. The affected version is not specified, and the issue has not yet been patched.
Available publicly on Jul 08 2024 | Available with Premium on Jun 08 2024
Threat Overview
The vulnerability arises from improper neutralization of input during web page generation, specifically in the chat functionality. Malicious payloads can be injected into the chat, which are then stored and executed when the chat is viewed. This can lead to various attacks, including credential theft, data exfiltration, and unauthorized actions on behalf of the user.
Attack Scenario
An attacker could exploit this vulnerability by sending a chat message containing a malicious script. When another user views the chat, the script is executed in their browser, potentially stealing their credentials, session tokens, or other sensitive information. The attacker could also perform actions on behalf of the user, such as sending messages or modifying data.
Who is affected
All users of the application who interact with the chat functionality are affected by this vulnerability. This includes both regular users and administrators.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.