High

devika

Stored XSS Vulnerability in Chat Functionality

A stored XSS vulnerability was discovered in the chat functionality of the application, allowing attackers to inject malicious scripts. The affected version is not specified, and the issue has not yet been patched.

Available publicly on Jul 08 2024

Threat Overview

The vulnerability arises from improper neutralization of input during web page generation, specifically in the chat functionality. Malicious payloads can be injected into the chat, which are then stored and executed when the chat is viewed. This can lead to various attacks, including credential theft, data exfiltration, and unauthorized actions on behalf of the user.

Attack Scenario

An attacker could exploit this vulnerability by sending a chat message containing a malicious script. When another user views the chat, the script is executed in their browser, potentially stealing their credentials, session tokens, or other sensitive information. The attacker could also perform actions on behalf of the user, such as sending messages or modifying data.

Who is affected

All users of the application who interact with the chat functionality are affected by this vulnerability. This includes both regular users and administrators.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.