1Panel-dev MaxKB Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in 1Panel-dev MaxKB versions through 2.4.2. The issue resides in the MdPreview component within the file ui/src/chat.ts. This vulnerability allows authenticated users with dataset management permissions to inject arbitrary HTML or JavaScript content, which is then executed when other users, including administrators, view the affected content.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, an authenticated user with dataset management permissions can create a paragraph containing a malicious payload, such as an image tag with an 'onerror' event. This paragraph is then stored in the application and rendered using the MdPreview component, which does not sanitize the HTML. When another user views the paragraph, the injected script is executed.

Remediation

Users are advised to upgrade to MaxKB version 2.5.0, which addresses this vulnerability.