cention-chatserver InternalChatProtocol.fe _formatBody cross site scripting
Description
A vulnerability was found in cention-chatserver 3.8.0-rc1. It has been declared as problematic. Affected by this vulnerability is the function _formatBody of the file lib/InternalChatProtocol.fe. The manipulation of the argument body leads to cross site scripting. The attack can be launched remotely. Upgrading to version 3.9 is able to address this issue. The identifier of the patch is c4c0258bbd18f6915f97f91d5fee625384096a26. It is recommended to upgrade the affected component. The identifier VDB-221497 was assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in cention-chatserver 3.8.0-rc1 via unescaped user input in the _formatBody function.
Vulnerability
The vulnerability resides in the _formatBody function within lib/InternalChatProtocol.fe of cention-chatserver version 3.8.0-rc1. The function fails to sanitize HTML special characters (e.g., <, >, &, ") in the body argument before inserting URLs into anchor tags. This allows an attacker to inject arbitrary HTML and JavaScript. The issue is fixed in version 3.9 [1][2].
Exploitation
An attacker can remotely send a crafted message containing malicious HTML or JavaScript in the body parameter. No authentication is required if the chat server accepts messages from unauthenticated users. The _formatBody function processes the input and outputs it without proper escaping, causing the injected script to execute in the browser of any user viewing the message. The attack vector is straightforward: include a payload such as `` in the message body.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the chat application. This can lead to session hijacking, data theft (e.g., chat logs, cookies), defacement of the chat interface, or redirection to malicious sites. The impact is limited to the client-side, but the attacker can impersonate users or perform actions on their behalf.
Mitigation
Upgrade to cention-chatserver version 3.9, which includes the fix from commit c4c0258bbd18f6915f97f91d5fee625384096a26 [1][2]. The patch adds HTML entity encoding for &, <, >, ", ', and / before URL replacement. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cention-chatserver/cention-chatserverdescription
- Range: <=3.8.0-rc1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/cention-mujibur-rahman/cention-chatserver/commit/c4c0258bbd18f6915f97f91d5fee625384096a26mitrepatch
- github.com/cention-mujibur-rahman/cention-chatserver/releases/tag/3.9mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.