GHSA-m7j5-rq9j-6jj9

Описание

Summary

An unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link.

Details

1. On click, eventually sub_pages_navigate event is emitted. https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/elements/sub_pages.js#L41-L63

2. SubPagesRouter (used by ui.sub_pages), lisnening on sub_pages_navigate, _handle_navigate runs. https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/sub_pages_router.py#L18-L22

3. _handle_navigate runs run_javascript with f-string substituting self.current_path which is simply surrounded by double-quotes. The string context can be broken out easily.

https://github.com/zauberzeug/nicegui/blob/59fa9424c470f1b12c5d368985fa36e21fda706b/nicegui/sub_pages_router.py#L73-L88

PoC

The minimal PoC boils down to this:

However, it is more likely that the attack takes place with attacker-controlled input, for which this shows it:

Vulnerable input is [XSS LINK](/"+alert(document.domain)+") (causes double payload execution, though)

Both cases require someone to click on the link.

Impact

Any page which uses ui.sub_pages and renders arbitrary links on screen (common case of ui.markdown) is affected.

The impact is low since a click is always required from the user, who can on-hover to discover the sketchy content of the link and stop if well-trained.

Appendix

AI is used safely to judge the CVSS scoring (input is not even provided, just the impact statement).

Please find the results in https://poe.com/s/y5DvyqgtszDGLUuHin1O

Scoring update after manual review

• Scope Changed is more inline with other posted XSS vulnerabilities
• Availability None: No DDoS is possible with this. Site remains performant as ever.