VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 5, 2023· Updated Aug 7, 2024

cfire24 ajaxlife cross site scripting

CVE-2008-10002

Description

A vulnerability has been found in cfire24 ajaxlife up to 0.3.2 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.3.3 is able to address this issue. The patch is identified as 9fb53b67312fe3f4336e01c1e3e1bedb4be0c1c8. It is recommended to upgrade the affected component. VDB-222286 is the identifier assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in cfire24 ajaxlife up to 0.3.2 allows remote attackers to inject arbitrary web script via the link feature.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in cfire24 ajaxlife versions up to 0.3.2. The flaw resides in the AjaxLife.InstantMessage and AjaxLife.SpatialChat functions, where user-supplied text is processed by AjaxLife.Utils.LinkURLs() without prior HTML escaping. This allows an attacker to inject malicious script payloads that are later rendered in the chat interface. The issue is fixed in version 0.3.3 [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted message containing a malicious script via the link feature. No authentication is required, as the chat functionality is accessible to any user. The injected script is executed when other users view the chat message, leading to client-side code execution.

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the victim's browser. This can lead to session hijacking, defacement of the chat interface, or theft of sensitive information such as cookies or authentication tokens.

Mitigation

Upgrade to version 0.3.3, which includes the fix identified in commit 9fb53b67312fe3f4336e01c1e3e1bedb4be0c1c8 [2]. The patch applies escapeHTML() to the text before passing it to LinkURLs(). No workarounds are documented; upgrading is the recommended action.

References
  1. Release 0.3.3 · cfire24/ajaxlife
  2. - Fixes injection exploit caused by link feature. · cfire24/ajaxlife@9fb53b6

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • cfire24/ajaxlifellm-create2 versions
    <=0.3.2+ 1 more
    • (no CPE)range: <=0.3.2
    • (no CPE)range: 0.3.0

Patches

1
9fb53b67312f

- Fixes injection exploit caused by link feature.

https://github.com/cfire24/ajaxlifekatharine.berryMay 18, 2008via nvd-ref
commit
2 files changed · +2 2
  • client/AjaxLife.InstantMessage.js+1 1 modified
    @@ -284,7 +284,7 @@ AjaxLife.InstantMessage = function() {
 	{
 		if(chats[session] && chats[session].content)
 		{
-			text = AjaxLife.Utils.LinkURLs(text);
+			text = AjaxLife.Utils.LinkURLs(text.escapeHTML());
 			var line = Ext.get(document.createElement('div'));
 			line.addClass(["agentmessage","chatline"]);
 			var timestamp = Ext.get(document.createElement('span'));
  • client/AjaxLife.SpatialChat.js+1 1 modified
    @@ -86,7 +86,7 @@ AjaxLife.SpatialChat = function() {
 	// and a timestamp is calculated in the user's timezone (assuming their computer clock is accurate)
 	function add(text, sourcetype)
 	{
-		text = AjaxLife.Utils.LinkURLs(text);
+		text = AjaxLife.Utils.LinkURLs(text.escapeHTML());
 		// Make a div to put this in.
 		var line = Ext.get(document.createElement('div'));
 		line.addClass("chatline");

Vulnerability mechanics

Root cause

"Missing HTML escaping of user-supplied chat text before URL linkification allows injection of arbitrary HTML and JavaScript."

Attack vector

An attacker sends a crafted chat message containing an anchor tag with an `onclick` event handler, such as `

Affected code

The vulnerability exists in `client/AjaxLife.InstantMessage.js` and `client/AjaxLife.SpatialChat.js`. In both files, the `LinkURLs` function is called on raw user-supplied text without prior HTML escaping, allowing injected HTML/JavaScript to pass through unmodified [patch_id=2243707].

What the fix does

The patch adds a call to `.escapeHTML()` on the `text` variable before passing it to `AjaxLife.Utils.LinkURLs()` in both `AjaxLife.InstantMessage.js` and `AjaxLife.SpatialChat.js` [patch_id=2243707]. This HTML-encodes any embedded HTML tags and event handlers in the message, preventing the browser from interpreting attacker-supplied markup as executable code. The fix ensures that the link-URL transformation operates on safely escaped text rather than raw user input.

Preconditions

  • inputThe attacker must be able to send chat messages to a victim user of AjaxLife.
  • inputThe victim must view the attacker's message in the AjaxLife chat interface (InstantMessage or SpatialChat).

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.