Dify Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Dify version 1.2.0, an open-source platform for developing applications with large language models. The issue arises from inadequate input validation in web applications, allowing attackers to inject malicious scripts into web pages. When other users visit these pages, the injected scripts are executed, potentially leading to various attacks such as cookie theft, session hijacking, or phishing.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, enter a payload containing a script injection, such as a JavaScript URL or an HTML element with an event handler, into an input box within the application. Once the payload is submitted, it will be executed when the injected content is viewed by other users.