Open WebUI Stored Cross-Site Scripting Vulnerability in Office File Previews

A stored cross-site scripting (XSS) vulnerability has been identified in Open WebUI versions prior to 0.9.3. This issue arises from the improper handling of user-uploaded Office files (Excel and DOCX) in the file preview feature. The application renders these files as HTML using Svelte's ' {@html} ' directive without proper sanitization, creating an opportunity for XSS attacks. The vulnerability was reintroduced after version 0.8.0 and affects several different versions and ranges up to and including 0.9.2.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed when the file is previewed. This could lead to session hijacking, account takeover, and data exfiltration, particularly in multi-user environments where one malicious upload can affect all viewers.

Reproduction

To reproduce this vulnerability, upload a malicious Excel or DOCX file containing embedded JavaScript, such as an image tag with an 'onerror' event or SVG with a 'onload' event, through the Open WebUI chat file upload. When the file is previewed, the injected script will execute, demonstrating the XSS vulnerability.

Remediation

To address this vulnerability, apply DOMPurify sanitization to all three file preview paths in the Svelte components. Alternatively, create a wrapper component that automatically applies DOMPurify, ensuring consistent sanitization across the application.