MaxKB Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in MaxKB, an open-source AI assistant for enterprise, affecting versions through 2.7.1. The issue arises when users inject malicious JavaScript into the application name or icon fields while creating an application. This unescaped data is then inserted into the HTML response of the public chat interface, allowing the execution of arbitrary JavaScript in the context of the victim's browser.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, an authenticated user must send a POST request to the '/api/application/' endpoint with a payload that includes a script injection in the 'name' or 'icon' fields. Once the application is created, the injected script will execute when the public chat interface is accessed.
Remediation
Users can upgrade to MaxKB version 2.8.0 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.