Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq

Vulnerability

Chaskiq versions prior to commit 51768b2 are vulnerable to stored Cross-Site Scripting (XSS) in the conversation list component. The renderConversationContent function directly inserts message.htmlContent into the DOM after sanitization, but the sanitizer alone is insufficient because it does not escape HTML entities before sanitization, allowing malicious scripts to bypass filters [1].

Exploitation

An attacker with the ability to send messages in a conversation can inject arbitrary HTML or JavaScript into the htmlContent field. When other users view the conversation list, the malicious content is rendered without proper escaping, leading to script execution [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, or further compromise of the application [1].

Mitigation

The vulnerability is fixed in commit 51768b2 by applying escapeHTML before sanitizeHtml on the htmlContent field. Users should update to a version including this commit or apply the patch manually. No version release date is provided [1].