ByteDance Deer-Flow Stored Cross-Site Scripting Vulnerability in Artifacts API

A stored cross-site scripting vulnerability has been identified in ByteDance Deer-Flow versions prior to commit 5dbb362. This vulnerability resides in the artifacts API, where attackers can execute arbitrary scripts by uploading malicious HTML or script content as artifacts. The uploaded content is executed in the context of the user's browser when artifacts are viewed, potentially leading to session compromise, credential theft, and unauthorized script execution.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the artifacts, according to VulnCheck.

Reproduction

To reproduce this vulnerability, upload a file containing malicious HTML or script content as an artifact. Once the file is uploaded, it will be executed in the browser context when the artifact is viewed. This can be done by using the artifacts API to upload the file, ensuring that the content includes the desired script or HTML payload. After uploading, access the artifact through the API, which will trigger the execution of the embedded script or HTML.

Remediation

Users are advised to update to the latest version of ByteDance Deer-Flow, as the vulnerability has been addressed in commit 5dbb362.