eXo Chat Application Mention ExoChatMessageComposer.vue cross site scripting
Description
A stored XSS in eXo Chat's mention handler allows remote attackers to inject malicious scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS in eXo Chat's mention handler allows remote attackers to inject malicious scripts.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the eXo Chat Application, specifically in the mention handler located in application/src/main/webapp/vue-app/components/ExoChatMessageComposer.vue. The bug allows user-controlled input to be processed without proper HTML entity encoding, enabling script injection. Affected versions are prior to 3.3.0-20220417. The vulnerability was addressed in commit 26bf307d3658d1403cfd5c3ad423ce4c4d1cb2dc [2].
Exploitation
The attacker can launch the attack remotely. By crafting a message containing malicious HTML or JavaScript, and then including a mention (e.g., @username), the unsanitized payload is inserted into the chat. When other users view the message, the embedded script executes in their browser. No elevated privileges are required; only the ability to send messages is needed.
Impact
Successful exploitation leads to execution of arbitrary JavaScript in the context of the victim's session within the chat application. This could allow the attacker to steal session cookies, access chat history, or perform actions as the victim user, leading to information disclosure and potential session hijacking.
Mitigation
Upgrade to version 3.3.0-20220417 or later, which includes the fix [1][2]. The patch introduces an encodeHTMLEntities function that sanitizes user input before processing [2]. No workarounds are documented; upgrading is recommended.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.3.0-20220417
- eXo/Chat Applicationv5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML entity encoding of user-supplied message text before processing mentions and pasting, leading to stored cross-site scripting."
Attack vector
An attacker can send a crafted chat message containing HTML or JavaScript payloads (e.g. `
Affected code
The vulnerable code is in `application/src/main/webapp/vue-app/components/ExoChatMessageComposer.vue`, specifically the `checkMention` method and the `paste` handler. Both functions processed user-supplied text without HTML-encoding it, allowing injected HTML/JavaScript to pass through unsanitized [ref_id=1].
What the fix does
The patch adds an `encodeHTMLEntities` helper that uses a DOM element's `innerText` setter and `innerHTML` getter to safely encode HTML special characters. This helper is called in two places: inside `checkMention` (line 343) to sanitize the message before mention processing, and inside the `paste` handler (line 376) to encode pasted plain text. By encoding `
Preconditions
- inputAttacker must be able to send messages in the chat application
- authNo special authentication or configuration required beyond normal chat access
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/exoplatform/chat-application/commit/26bf307d3658d1403cfd5c3ad423ce4c4d1cb2dcmitrepatch
- github.com/exoplatform/chat-application/releases/tag/3.3.0-20220417mitrepatch
- community.exoplatform.com/portal/dw/tasks/taskDetail/56304mitrerelated
- github.com/exoplatform/chat-application/pull/485mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.