Описание
NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content
Summary
A Cross-Site Scripting (XSS) vulnerability exists in the ui.interactive_image component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag.
Details
The vulnerability is located in nicegui/elements/interactive_image.js.
The component uses the following code to render content:
Vue's v-html directive renders raw HTML strings into the DOM. If an application allows user-controlled input to be passed to the content property of an interactive image, an attacker can embed a tag containing malicious scripts, bypassing typical image restrictions.
PoC
Impact
-
Type: Reflected / Stored XSS (depending on data source)
-
Severity: Moderate
-
Impact: Attackers can inject malicious scripts that execute whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations.
Пакеты
nicegui
<= 3.3.1
3.4.0
Связанные уязвимости
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactive_image component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations. This issue is fixed in version 3.4.0.