Appsmith Table Widget Stored Cross-Site Scripting Vulnerability Leading to Administrative Privilege Escalation

A critical stored cross-site scripting vulnerability has been identified in the Appsmith Table Widget (TableWidgetV2) in versions prior to 1.96. The issue arises from inadequate HTML sanitization in the React component rendering pipeline, which allows malicious attributes to be injected into the DOM. An attacker with a regular user account can exploit this vulnerability by using the 'Invite Users' feature to manipulate a System Administrator into executing a high-privileged API call, resulting in a full administrative account takeover.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the injected script executed in the context of the user viewing the table. This leads to a vertical privilege escalation, granting the attacker administrative rights on the Appsmith instance.

Reproduction

To reproduce this vulnerability, log in with a regular user account and create a new application. Add a Table Widget and inject a payload containing an image tag with an 'onerror' event into the Table Data property. This will confirm the XSS vulnerability by executing the script. Next, update the Table Data with a payload designed to exploit the vulnerability by reading the Admin's XSRF-TOKEN and sending a request to add the user to the administrative whitelist. Once the Admin opens the invitation, the script will execute, granting admin privileges to the user.

Remediation

Users are advised to update to Appsmith version 1.96 or later. Additionally, implement proper sanitization of dynamic outputs in the Table Widget and related components, and establish a strict content security policy to prevent unauthorized API calls from XSS payloads.