Back

CVE-2024-45803

Sept. 17, 2024, 7:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Wire UI

  • 1.19.3
  • 2.1.3

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-79
2024-09-17
CVE-2024-45803

CVE-2024-45803 details

Published : Sept. 17, 2024, 7:15 p.m.
Last Modified : Sept. 17, 2024, 7:15 p.m.

Description

Wire UI is a library of components and resources to empower Laravel and Livewire application development. A potential Cross-Site Scripting (XSS) vulnerability has been identified in the `/wireui/button` endpoint, specifically through the `label` query parameter. Malicious actors could exploit this vulnerability by injecting JavaScript into the `label` parameter, leading to the execution of arbitrary code in the victim's browser. The `/wireui/button` endpoint dynamically renders button labels based on user-provided input via the `label` query parameter. Due to insufficient sanitization or escaping of this input, an attacker can inject malicious JavaScript. By crafting such a request, an attacker can inject arbitrary code that will be executed by the browser when the endpoint is accessed. If exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the affected website. This could lead to: **Session Hijacking**: Stealing session cookies, tokens, or other sensitive information. **User Impersonation**: Performing unauthorized actions on behalf of authenticated users. **Phishing**: Redirecting users to malicious websites. **Content Manipulation**: Altering the appearance or behavior of the affected page to mislead users or execute further attacks. The severity of this vulnerability depends on the context of where the affected component is used, but in all cases, it poses a significant risk to user security. This issue has been addressed in release versions 1.19.3 and 2.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

URL Source
https://github.com/wireui/wireui/commit/784c4f110e58eb41d0f2bdecd4655ea417f16e7e security-advisories@github.com
https://github.com/wireui/wireui/commit/a457654912055f4dcc559da04d4e319f76b80fc5 security-advisories@github.com
https://github.com/wireui/wireui/security/advisories/GHSA-rw5h-g8xq-6877 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.