SelfBest Platform Stored Cross-Site Scripting Vulnerability in Chat Functionality

A stored cross-site scripting vulnerability has been identified in the chat feature of the SelfBest platform, specifically in version 2023.3. This vulnerability allows authenticated attackers to inject arbitrary web scripts or HTML into the chat message input field. The injected content is stored and executed in the context of other users' browsers when they view the message, potentially leading to session hijacking, account takeover, or other client-side attacks.

Impact

Exploitation of this vulnerability could result in mass account compromise, session hijacking, and unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, an authenticated user can send a chat message containing malicious JavaScript or HTML. Once the message is sent, the injected script will execute automatically in the browsers of users who view the chat, without any additional interaction required.

Remediation

Developers can address this vulnerability by implementing proper input validation and output encoding in the chat functionality. Using a library like DOMPurify for client-side sanitization, conducting strict server-side validation, and establishing a robust Content Security Policy are recommended practices.