Open WebUI Cross-Site Scripting Vulnerability in Pending User Overlay

A cross-site scripting (XSS) vulnerability has been identified in Open WebUI versions prior to 0.9.0. The issue arises in the AccountPending.svelte component, where the 'Pending User Overlay Content' is rendered using marked.parse() inside {@html} with an incorrect application order of DOMPurify. This flaw allows an admin to inject arbitrary JavaScript into the overlay content, which executes in the browser context of any pending user who views the overlay page.

Impact

Exploitation of this vulnerability allows an admin to inject and execute arbitrary JavaScript in the context of pending users, potentially leading to session hijacking, credential theft, or phishing attacks.

Reproduction

To reproduce this vulnerability, log in as an admin user on Open WebUI version 0.8.10. Navigate to the Admin Settings and set the Default User Role to pending. In the Pending User Overlay Content field, enter a Markdown-formatted message including a link with a 'javascript:' href. Save the settings, then log in as a pending user to see the overlay. Clicking the injected link will trigger a JavaScript alert, demonstrating the successful execution of the injected script.

Remediation

Users should update to Open WebUI version 0.9.0 or later, where this vulnerability has been fixed.