Impact
A Cross-Site Scripting (XSS) vulnerability was found in the HTML output of chats. XSS is intended to be mitigated by Jinja's escape function. However, autoescape=True was missing when setting the environment. Although the actual impact is low, considering the HTML file is being viewed offline, an adversary may still be able to inject malicious payloads into the chat through WhatsApp. All users are affected.
Patches
The vulnerability is patched in 0.9.5. All users are strongly advised to update the exporter to the latest version.
Workarounds
No workaround is available. Please update the exporter to the latest version.
References
KnugiHK/WhatsApp-Chat-Exporter@bfdc68c
https://owasp.org/www-community/attacks/xss/
References
KnugiHK Finder
Impact
A Cross-Site Scripting (XSS) vulnerability was found in the HTML output of chats. XSS is intended to be mitigated by Jinja's escape function. However,
autoescape=Truewas missing when setting the environment. Although the actual impact is low, considering the HTML file is being viewed offline, an adversary may still be able to inject malicious payloads into the chat through WhatsApp. All users are affected.Patches
The vulnerability is patched in 0.9.5. All users are strongly advised to update the exporter to the latest version.
Workarounds
No workaround is available. Please update the exporter to the latest version.
References
KnugiHK/WhatsApp-Chat-Exporter@bfdc68c
https://owasp.org/www-community/attacks/xss/
References