parisneo Lollms Cross-Site Scripting Vulnerability in Direct Messaging Component

A Cross-site Scripting (XSS) vulnerability has been identified in the 'from_dict' method of the 'AppLollmsMessage' class in parisneo/lollms, prior to version 2.2.0. This vulnerability allows for the injection of malicious HTML or JavaScript into user messages, which is then executed in the context of the recipient's browser. The issue stems from improper sanitization of the 'content' field when processing user data, potentially leading to account takeover, session hijacking, or wormable attacks.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user receiving the message, with the potential to steal sensitive information such as JWT tokens from localStorage, session cookies, and to perform actions on behalf of the user by posting malicious content from their account.

Reproduction

To reproduce this vulnerability, send a direct message through the '/api/dm/send' endpoint without sanitizing the 'content' field. Include a payload such as an image tag with an 'onerror' event to execute JavaScript, such as an alert. The injected script will run when the message is viewed, demonstrating the XSS attack.

Remediation

Update to version 2.2.0 or later, where this vulnerability has been fixed. Users should also ensure that all user-generated content is properly sanitized before being processed or displayed.