AIxBlock Stored Cross-Site Scripting Vulnerability in Model Descriptions

A stored cross-site scripting vulnerability has been identified in the AIxBlock platform, specifically in the model description field. This vulnerability allows attackers to inject malicious web scripts or HTML, which are executed when other users view the model details. The issue arises from improper sanitization of the 'model_desc' parameter during model creation, affecting multiple React components that render this field using 'dangerouslySetInnerHTML' without adequate protection.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the model details, potentially leading to session hijacking, unauthorized actions on behalf of the user, and exfiltration of sensitive data.

Reproduction

To reproduce this vulnerability, navigate to the model creation page on the AIxBlock platform. Inject a script payload, such as an SVG image with an 'onload' event, into the description field. After submitting the form, the injected script will execute when the model details are viewed.

Remediation

The vulnerability has been fixed by implementing proper input sanitization using DOMPurify on the frontend and bleach on the backend. Additionally, a Content Security Policy can be added to further enhance security.