OrcaStatLLM Researcher Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in OrcaStatLLM Researcher, specifically in the log message feature on the session page. This vulnerability allows attackers to inject and execute arbitrary JavaScript in the browsers of users who view the affected session. The issue arises because the application processes user-generated log messages without proper sanitization, enabling the execution of malicious scripts.

Impact

Exploitation of this vulnerability could lead to session hijacking, allowing attackers to steal session cookies and impersonate users. It also poses a risk of credential theft by capturing keystrokes, including passwords and API keys. Additionally, the vulnerability could result in account takeover, enabling attackers to perform actions on behalf of the victim, and data exfiltration by accessing and stealing research data and API keys from the user's configuration. Furthermore, the vulnerability could be used to distribute malware by redirecting users to malicious sites or to conduct phishing attacks by displaying fake login forms within the application.

Reproduction

To reproduce this vulnerability, deploy OrcaStatLLM Researcher either locally or via Docker. Once the application is running, open a web browser and navigate to the application. In the 'Research Topic' field, enter a payload designed to exploit the XSS vulnerability, such as an image tag with an 'onerror' event. After submitting the form, the injected JavaScript will execute, confirming the presence of the vulnerability.