Listen to this Post
The CVE-2024-32881 vulnerability in code16/sharp arises from the unsafe rendering of user-supplied content within the `SharpShowTextField` component. In affected versions, the component utilizes the Vue.js framework for rendering. Vue.js interprets double curly braces `{{ }}` as delimiters for data binding and JavaScript expression evaluation. The component failed to properly sanitize or escape these delimiters within the field’s content data. Consequently, if an attacker supplies input containing a Vue.js expression, such as {{ constructor.constructor('alert(1)')() }}, the expression is passed directly to Vue’s rendering engine during the display of the field. Vue evaluates the injected JavaScript expression in the context of the current application, leading to arbitrary code execution within the victim’s browser session. This occurs because the input is treated as a template directive rather than inert text.
Platform: Laravel
Version: <9.11.1
Vulnerability: XSS
Severity: Critical
date: 2024
Prediction: 2024-05-15
What Undercode Say:
curl -s "https://example.com/admin/data" | grep -oP '{{\s.?\s}}'
// Proof of Concept Payload
const payload = "{{ $emit('init', $event.constructor('alert(document.domain)')()) }}";
// Sanitization Example htmlspecialchars($userContent, ENT_QUOTES, 'UTF-8');
How Exploit:
Attacker controls field data.
Input with `{{ }}` is stored.
Admin views record.
Vue executes payload.
Session hijacking occurs.
Protection from this CVE
Update to v9.11.1.
Sanitize all user inputs.
Implement Content Security Policy.
Encode HTML entities.
Impact:
Session token theft.
Unauthorized admin actions.
Account compromise.
Data exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
