LangGenius Dify Cross-Site Scripting Vulnerability in Image Preview Component

A DOM-based cross-site scripting (XSS) vulnerability exists in the LangGenius Dify web application, specifically in versions through 1.13.3. The issue is located in the ImagePreview component, within the openInNewTab function of the file web/app/components/base/image-uploader/image-preview.tsx. The vulnerability arises because the function interpolates the title parameter, derived from user-controlled filenames, into an HTML string using template literals. This unsanitized input is then written to the document using document.write(), creating an opportunity for an attacker to inject malicious scripts that execute when the image is viewed in a new tab.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, account takeover, data theft, phishing, or malware distribution.

Reproduction

To reproduce this vulnerability, upload a file with a malicious filename that includes a script injection payload, such as a JavaScript alert script, and then open the file in a conversation or upload context where it will be viewed by another user. When the recipient clicks 'Open in New Tab', the injected script will execute, demonstrating the cross-site scripting vulnerability.