ComfyUI Cross-Site Scripting Vulnerability in User Data Endpoint
Vulnerability
A stored cross-site scripting vulnerability has been identified in ComfyUI versions through 0.13.0. The issue resides in the user data endpoint, specifically within the 'getuserdata' function of 'app/user_manager.py'. This vulnerability allows for the upload of malicious files that are later served to users without proper content type sanitization, enabling the execution of embedded JavaScript. The flaw can be exploited remotely, with the uploaded scripts running in the context of the ComfyUI application.
Impact
Exploitation of this vulnerability allows for the execution of JavaScript in the context of the ComfyUI application, with potential access to the victim's local storage and the ability to make arbitrary API calls to the ComfyUI backend on behalf of the victim.
Reproduction
To reproduce this vulnerability, upload a malicious HTML file containing JavaScript, such as an 'alert()' script, to the '/userdata' endpoint. Once the file is uploaded, access it through the same endpoint, which will execute the JavaScript in the context of the ComfyUI application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.