OpenSlides HTML Injection Vulnerability in Chat Names

A vulnerability allowing HTML injection has been identified in OpenSlides versions prior to 4.2.5. When users create new chats through the chat_group.create action, they can specify the chat name. While certain HTML elements, such as SCRIPT tags, are filtered out, others are not. Generally, HTML entities are encoded correctly, except when deleting chats or messages, which can lead to interference with the website's layout. However, it is unlikely that users would engage with deleted chats or messages.

Impact

Exploitation of this vulnerability allows for HTML injection, which could disrupt the layout of the website. In some cases, this could be leveraged for Cross-Site Scripting (XSS) attacks, where injected scripts are executed in the context of the user's session.

Reproduction

To reproduce this vulnerability, create a new chat using the chat_group.create action. Enter a chat name that includes HTML tags, such as a bold tag. Once the chat is created, the injected HTML will be rendered, demonstrating the successful exploitation of the HTML injection vulnerability.

Remediation

Users can update to OpenSlides version 4.2.5, where this vulnerability has been patched.