SparkyFitness Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SparkyFitness version 0.15.8.2. This issue allows remote attackers to execute arbitrary JavaScript in the context of authenticated users. The vulnerability arises from the application rendering unsanitized user input and output generated by a language model (LLM) into the DOM using React's dangerouslySetInnerHTML. This lack of proper sanitization enables the injection of malicious payloads that are persisted and can be executed later, potentially leading to session hijacking, unauthorized actions on behalf of the victim, and the creation of fake messages in the AI chat interface.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, with the potential to forge messages that appear as legitimate responses from the AI, and to perform unauthorized actions using the victim's credentials.

Reproduction

To reproduce this vulnerability, an authenticated user can send a message to the AI chatbot that includes an image tag with an 'onerror' event. This event can be used to execute JavaScript, such as a fetch request that sends a payload to a server. Once the message is sent, the injected JavaScript will be executed when the chat history is viewed, demonstrating the stored XSS condition.

Remediation

Users can update to SparkyFitness version 0.16.3 or later, where this vulnerability has been addressed by sanitizing rendered content before it is displayed.