danswer-ai Danswer Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in version 1.4.1 of danswer-ai/danswer. This vulnerability allows attackers to perform unauthorized actions in the context of the victim's browser, such as connecting to a malicious Slack Bot, inviting users, and deleting chats. The application lacks any CSRF protection, leaving it vulnerable to these types of attacks.

Impact

Exploitation of this vulnerability allows for the performance of any action within the application on behalf of the victim. This includes connecting the victim's application to a malicious Slack Bot, interacting with the chatbot, adding connectors, creating assistants, answers, tools, deleting chats, and inviting users.

Reproduction

The vulnerability can be reproduced by sending a crafted request that exploits the lack of CSRF protection. This can be done by using a script that sends an XMLHttpRequest with the necessary headers and payload to the application's API endpoints. The absence of CSRF tokens allows these requests to be processed as if they were initiated by the user.