Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq

Vulnerability

Chaskiq, a customer messaging platform, is vulnerable to stored cross-site scripting (XSS) due to improper neutralization of user-controlled input when rendering segment names and app names. The vulnerability exists in versions prior to the commit bffa585 (likely before a certain release). The code uses dangerouslySetInnerHTML with unsanitized values from this.props.segment.name and app.name in the SaveSegmentModal component and GDPRView component respectively. The fix introduces escapeHTML from @chaskiq/components/src/utils/htmlSanitize to sanitize these values. [1]

Exploitation

An attacker with the ability to set or modify a segment name or app name (e.g., via the application's UI or API) can inject arbitrary HTML/JavaScript. The attacker does not need special privileges beyond being able to create or update these entities. When a user views the affected components (e.g., the segment manager or GDPR consent view), the injected script executes in the context of the victim's browser. No user interaction beyond viewing the page is required. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of sensitive data (e.g., session tokens, cookies), defacement, or further actions on behalf of the victim. The impact is limited to the browser session of users who view the malicious content. [1]

Mitigation

The vulnerability is fixed in commit bffa585 (2021-09-20). Users should update to a version that includes this commit or later. No workarounds are documented. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]