welovemedia FFmate Cross-Site Scripting Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in welovemedia FFmate versions through 2.0.15. The issue arises in the Webhook Handler component, specifically within the AppJsonTreeView.vue file. Webhook responses are stored and displayed without proper sanitization, allowing malicious JavaScript payloads to execute in the browsers of users viewing the webhook execution results. This vulnerability could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts execute in the context of the user viewing the webhook execution results.

Reproduction

To reproduce this vulnerability, create a webhook that points to a malicious endpoint injecting JavaScript into the response. Then, access the webhook execution results in the FFmate application, where the injected script will execute in the browser.

Remediation

It is recommended to implement HTML sanitization, avoid using 'v-html' in Vue.js, apply Content Security Policy headers, and validate input against a whitelist of allowed HTML tags and attributes.