New API Cross-Site Scripting Vulnerability in Markdown Renderer Component
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the New API project, specifically in the MarkdownRenderer.jsx component, prior to version 0.10.8-alpha.9. The issue arises from an unsafe operation that allows model outputs containing <script> tags to be rendered without proper sanitization, potentially injecting malicious scripts. This vulnerability can be exploited by prompting the model to generate HTML with embedded scripts, which are then executed in the user's browser.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to various malicious activities, such as stealing cookies or session tokens, or manipulating the user interface.
Reproduction
To reproduce this vulnerability, use the New API playground feature and prompt the model to generate a script that includes a <script> tag. The generated script will be executed in the browser, demonstrating the cross-site scripting vulnerability.
Remediation
Users can update to New API version 0.10.8-alpha.9 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.