Prisma Injection via User JSON in API Endpoint
A vulnerability in the API endpoint '/embed/:embedId/stream-chat' allows for Prisma injection by directly taking user JSON input. This affects version git cc594d4 and was patched in version 1.2.2.
Available publicly on Nov 03 2024 | Available with Premium on Aug 27 2024
Threat Overview
The vulnerability arises from improper input validation in the API endpoint '/embed/:embedId/stream-chat'. An attacker can manipulate the JSON input, particularly the 'sessionId' field, to inject Prisma queries. This can lead to unauthorized access to all data in the table, exposing sensitive information from other users' chat sessions.
Attack Scenario
An attacker creates a new workspace and an embeddable chat in chat mode. They then send a crafted POST request to the '/embed/:embedId/stream-chat' endpoint with a manipulated 'sessionId' field. This causes the server to return all data from the table, including other users' chat history.
Who is affected
Users of the affected version (git cc594d4) who have embedded chat functionality enabled are at risk. This includes any user who interacts with the '/embed/:embedId/stream-chat' API endpoint.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.