Listen to this Post
The vulnerability is a DOM-based Cross-Site Scripting (XSS) flaw within the `VDatePicker` component of Vuetify. It stems from the improper neutralization of user input passed to the `-date-format` property. This property is designed to accept a formatting function that returns a string for the picker’s . However, the component directly assigns the function’s output to the `innerHTML` property of the element without any sanitization.
When an attacker can control or influence the function supplied to -date-format, they can craft it to return a string containing malicious HTML elements, such as `
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.