Horizon Alert
Summary of the vulnerability and why it matters
This vulnerability affects OpenReplay, a self-hosted session replay tool. An unauthenticated attacker could potentially compromise user accounts by injecting malicious scripts through custom event data. The main concern is confirming relevance and exposure within your organization.
- Script injection allows account takeover.
- Affects self-hosted session replay tools.
- Confirm if OpenReplay is in use.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can target users of the OpenReplay dashboard by sending specially crafted event data. The vulnerable component is the tracking SDK, which accepts custom event names and URLs from any visitor. This data is stored and later rendered without proper encoding in the dashboard. When a user views this data, an embedded script can execute within the dashboard's origin, allowing the attacker to steal the session's JWT from local storage and potentially take over the account.
- Unauthenticated user can send data.
- Vulnerable SDK renders script in dashboard.
- Account takeover risk.
Live Threat
Current exploitation, exposure, and threat context
An unauthenticated attacker could inject scripts into the OpenReplay dashboard, allowing them to steal session JWTs and take over authenticated user accounts. This occurs when custom event names and captured page URLs are processed without proper output encoding.
- Authenticated dashboard accounts.
- Script injection via custom event data.
- Account takeover by attackers.
Operational Fix
Recommended remediation, mitigation, and detection steps
Real-world ownership of this critical vulnerability likely falls to the platform or infrastructure teams managing the self-hosted OpenReplay instance, with coordination from application owners. The first practical step is to identify all deployments of OpenReplay, confirm their reachability and business criticality, and then identify the accountable owner for each instance to plan targeted remediation.
- Platform or infrastructure teams own remediation.
- Verify OpenReplay deployment reachability and criticality.
- Coordinate updates with application owners.