1Panel-dev MaxKB Public Chat static_headers_middleware.py StaticHeadersMiddleware 跨站脚本漏洞

在 1Panel-dev MaxKB 的 2.2.1 版本及之前版本中发现了一个跨站脚本 (XSS) 漏洞。该漏洞位于文件 apps/common/middleware/staticheadersmiddleware.py 的 StaticHeadersMiddleware 函数中，特别是与公共聊天界面中 Name 参数的处理有关。攻击者可以操纵此参数，将恶意 JavaScript 代码注入到应用程序中，然后在易受攻击用户的浏览器中执行。这可能允许攻击者窃取敏感信息、代表用户执行操作或将用户重定向到恶意网站。由于攻击是远程的，因此可以从任何具有应用程序访问权限的位置发起攻击。

Organizations utilizing 1Panel-dev MaxKB in their deployments, particularly those with publicly accessible chat interfaces, are at risk. Shared hosting environments where multiple users share the same 1Panel-dev MaxKB instance are especially vulnerable, as a compromise of one user could potentially affect others. Legacy configurations or deployments that have not been regularly updated are also at increased risk.

• php: Examine application logs for requests containing suspicious characters or patterns in the 'Name' parameter. Use grep to search for patterns like <script> or javascript: within the logs.

grep -i '<script|javascript:' /var/log/apache2/access.log

• generic web: Use curl to test the affected endpoint with various payloads. Check the response headers for signs of XSS.

curl -X POST -d "Name=<script>alert('XSS')</script>" http://your-1panel-maxkb-url/chat

1. 2026-04-11Disclosure

   disclosure

2. 2026-04-11PoC

   poc

3. 2026-04-11Patch

   patch

1. 已保留2026-04-11
2. 发布日期2026-04-11
3. 修改日期2026-04-13
4. EPSS 更新日期2026-04-19

减轻此漏洞的建议解决方案是升级到 1Panel-dev MaxKB 的 2.8.0 版本。此版本包含对 StaticHeadersMiddleware 函数中 Name 参数处理的修复，从而防止 XSS 代码注入。此外，建议审查并加强应用程序的安全策略，包括验证和清理所有用户输入。监控应用程序日志以查找可疑活动也有助于检测和响应潜在攻击。此漏洞的特定补丁由哈希值 026a2d623e2aa5efa67c4834651e79d5d7 标识。