givanz
commented
4 months ago Thanks for the vulnerability report, I included a fix in the latest commit https://github.com/givanz/VvvebJs/commit/c0c0545b44b23acc288ef907fb498ce15b9b576e and made a new release https://github.com/givanz/VvvebJs/releases/tag/1.7.5
Hebing123
Summary
VvvebJs 1.7.4 has a reflective cross-site scripting (XSS) vulnerability. An attacker can execute malicious code in the user's browser by inducing the user to click on a link containing malicious code.
Details
The vulnerability exists in the save.php file, which accepts input from the user and outputs it directly to the HTML page or executes it without any form of filtering or escaping. Here is the code for the vulnerability:
https://github.com/givanz/VvvebJs/blob/c6422cfd4d835c2fa6d512645e30015f24538ef0/save.php#L91-L93 https://github.com/givanz/VvvebJs/blob/c6422cfd4d835c2fa6d512645e30015f24538ef0/save.php#L159
The $_GET['action'] accepts user input without any filtration or escaping, and it's directly assigned to the $action variable. In subsequent handling, the $action variable is processed without any effective security measures, and it's directly inserted into the front-end page during error messages, thus causing an XSS vulnerability.
Proof of Concept (POC)
http(s)://save.php?action=<script>alert(%27test%27)</script>Impact
As this is a reflective XSS vulnerability, an attacker can construct a URL containing malicious code and lure the victim to access it. Once the victim accesses this malicious link, the harmful code is executed in their browser, potentially utilizing the victim's permissions to perform other possible malicious operations. It is recommended that developers promptly fix the aforementioned reflective XSS vulnerability.