OpenSift Cross-Site Scripting Vulnerability in Chat Tool UI
Vulnerability
A persistent cross-site scripting (XSS) vulnerability has been identified in OpenSift, an AI study tool, in versions prior to 1.1.3-alpha. The issue arises because the application renders untrusted user or model content in the chat tool interface using unsafe HTML interpolation methods. This flaw allows stored content to execute JavaScript when viewed in authenticated sessions. An attacker who can manipulate stored study, quiz, or flashcard content could exploit this vulnerability to execute scripts in the context of the victim's browser, potentially performing actions as that user within the local application session.
Impact
Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the content, potentially leading to unauthorized actions being performed in the application.
Remediation
Users are advised to upgrade to OpenSift version 1.1.3-alpha or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.