CTI Transmute Stored Cross-Site Scripting Vulnerability in Notification Panel

A stored cross-site scripting vulnerability has been identified in the notification panel of CTI Transmute, affecting versions prior to the patched release. The vulnerability arises because notification messages that include user-controlled convert names were displayed in the notification dropdown using innerHTML, without proper sanitization. This allowed an attacker to inject arbitrary JavaScript that would execute in the browser of an authenticated user when they opened the notification panel. Exploitation could enable the attacker to perform actions in the victim's session or access application information available in the browser context.

Impact

Exploitation of this vulnerability could lead to stored cross-site scripting, allowing injected scripts to be executed in the context of the user viewing the notification.

Reproduction

To reproduce this vulnerability, create a convert name that includes a script injection payload. Once the convert name is included in a notification message, open the notification panel to trigger the execution of the injected script.

Remediation

The vulnerability has been addressed by changing how notification elements are created and displayed. The application now uses DOM methods to build notification items and sets the content using textContent, which prevents the execution of scripts. Users should update to the latest version of CTI Transmute to apply this fix.