Open WebUI Cross-Site Scripting Vulnerability in SVG Renderer

A Cross-Site Scripting (XSS) vulnerability has been identified in Open WebUI versions prior to 0.6.31. The issue arises in the application's SVG renderer, where it is possible to inject and execute HTML or JavaScript code. This vulnerability can be exploited to steal sensitive data, manipulate the DOM, or conduct complex client-side attacks.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting, where injected malicious code is executed in the context of the user's browser. This could lead to unauthorized access to sensitive information, manipulation of application data, or account takeover.

Reproduction

To reproduce this vulnerability, log into Open WebUI and start a new conversation. Request the application to draw a green circle using SVG. Once the SVG is generated, click on it to edit the code. Inject a payload, such as an image tag with an error event handler, into the SVG code. Save the changes, and the injected code will be executed, demonstrating the Cross-Site Scripting vulnerability.

Remediation

Users should update Open WebUI to version 0.6.31 or later, where this vulnerability has been fixed.