LangBot Cross-Site Scripting Vulnerability in Web UI

A cross-site scripting (XSS) vulnerability has been identified in LangBot versions prior to 4.8.7. The issue arises because the web UI renders user-supplied raw HTML using rehypeRaw, without proper sanitization. This vulnerability is present in the Upload Local plugin feature and the Debug Chat feature, allowing attackers to inject malicious scripts that could steal session tokens and API credentials from localStorage.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's session. This could lead to the theft of session tokens and API keys.

Reproduction

To reproduce this vulnerability, install a malicious extension that includes a crafted README.md file containing an XSS payload, such as an iframe tag with a script to alert session tokens. Once the extension is installed, the payload will be executed, demonstrating the XSS vulnerability. Alternatively, the vulnerability can be reproduced in the Debug Chat feature by sending a message that includes a similar XSS payload.

Remediation

Users can update to LangBot version 4.8.7 or later, where this vulnerability has been patched.