A stored cross-site scripting (XSS) vulnerability was discovered in the Dust platform's file upload functionality. An attacker could upload a malicious HTML file to a conversation. When another user, including an admin, visited the uploaded file, JavaScript was executed in their authenticated browser session. This allowed the attacker to issue authenticated API requests on behalf of the victim, including promoting their own account to admin, downgrading or removing legitimate admins, accessing and deleting secrets, and gaining full control over the…Read More
