Medium

comfyui

Stored XSS via HTML File Upload and Viewing

A stored XSS vulnerability was identified in version 0.2.2 of the software, allowing attackers to upload HTML files with XSS payloads that execute when viewed through the /view endpoint. This issue has not yet been patched.

Available publicly on Dec 13 2024

6.1

CVE:

CVE-2024-10099

CWE:

79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Credit:

ethansilvas
AssessDetect

Unavailable

Remediate
Remediation Steps
  1. Validate and sanitize all user inputs, especially file uploads, to ensure that HTML and JavaScript content cannot be executed.
  2. Implement Content Security Policy (CSP) headers to restrict the execution of scripts.
  3. Regularly update and patch the software to incorporate security fixes.
  4. Educate users on the risks of uploading and viewing untrusted files.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.