Jcharis Machine-Learning-Web-Apps Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Jcharis Machine-Learning-Web-Apps versions prior to a6996b634d98ccec4701ac8934016e8175b60eb5. The issue arises in the Jinja2 template rendering process, specifically within the 'render_template' function of 'app/app.py'. User input from the 'newtext' field is passed directly to the template without proper escaping, allowing the injection of arbitrary HTML or JavaScript. This vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to the '/preview' endpoint with a payload that includes JavaScript, such as an image tag with an 'onerror' event. The injected script will execute in the browser, demonstrating the cross-site scripting vulnerability.