Open WebUI Excel File Preview Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Open WebUI versions prior to 0.8.0. The issue arises in the Excel file preview feature, where the application improperly sanitizes content from XLSX attachments. This flaw allows an attacker to craft a malicious Excel file that, when previewed, executes JavaScript code by embedding it within the HTML. The vulnerability can be exploited in shared chats, potentially leading to session hijacking for low-privilege users or remote code execution for admins.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with additional risks of session hijacking for low-privilege users and remote code execution for admins.

Reproduction

To reproduce this vulnerability, upload a crafted XLSX file containing an XSS payload as an attachment in a chat. Open the file modal and select the preview tab. The XSS payload will execute, demonstrating the vulnerability. This same process can be triggered in shared chats, allowing the payload to be distributed to other users.

Remediation

Users are advised to update to Open WebUI version 0.8.0 or later, where this vulnerability has been fixed.