Paris Neo LoLLMs Stored Cross-Site Scripting Vulnerability in Social Feature

A stored cross-site scripting vulnerability has been identified in the social feature of Paris Neo LoLLMs, affecting the latest version prior to 2.2.0. The issue arises in the 'create_post' function within 'backend/routers/social/__init__.py', where user-generated content is directly assigned to the 'DBPost' model without any sanitization. This oversight allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. The vulnerability can lead to account takeover, session hijacking, and wormable attacks.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user viewing the feed. This could result in stealing sensitive JWT tokens from localStorage, hijacking session cookies, and potentially allowing the attacker to post malicious content from the victim's account, spreading the XSS further.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/social/posts' endpoint with injected JavaScript in the 'content' field. The injected script will execute in the context of any user who views the Home Feed, including admins.

Remediation

The vulnerability has been fixed in version 2.2.0 by implementing input sanitization using the 'bleach' library to clean user-generated content before it is stored in the database. A migration script has also been added to sanitize existing content that may have been compromised.