Volerion logoVolerion
Volerion logoVolerion

Langgenius Dify Cross-Site Scripting Vulnerability in Firefox Browsers

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Langgenius Dify, affecting versions prior to 1.1.3. This issue specifically impacts Firefox users, allowing attackers to steal the administrator's token by injecting a payload into the published chat. When the administrator reviews the conversation through the monitoring function in Firefox, the XSS is triggered, potentially leaking sensitive token information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the administrator's token, allowing attackers to impersonate the admin or access restricted functionalities.

Reproduction

To reproduce this vulnerability, publish a chat message containing a payload designed to exploit XSS. Then, have an administrator view the conversation through the monitoring function in Firefox. The injected payload will execute, demonstrating the XSS vulnerability.

Remediation

Users can update to Langgenius Dify version 1.1.3 or later, where this vulnerability has been addressed.

Added: Jul 7, 2025, 11:01 AM
Updated: Jul 7, 2025, 11:01 AM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
5.0
exploitability
4.0
remediation
0.0
relevance
0.2
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.