1Panel-dev MaxKB Stored Cross-Site Scripting Vulnerability in Public Chat Interface

A stored cross-site scripting vulnerability has been identified in 1Panel-dev MaxKB versions through 2.2.1. The issue arises in the Public Chat Interface, specifically within the StaticHeadersMiddleware function of the file apps/common/middleware/static_headers_middleware.py. The vulnerability is caused by improper HTML escaping of application names and icons. An authenticated user can exploit this by injecting a malicious payload into the application name, which is then executed as JavaScript in the context of the victim's browser when they access the chat interface. This vulnerability can be exploited remotely, requiring user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/api/application/' endpoint, including a malicious script payload in the 'name' field. Once the application is created, any user can access the public chat interface, where the injected script will be executed.

Remediation

Users are advised to upgrade to MaxKB version 2.8.0, which addresses this vulnerability.