Nixpkgs security tracker
6.1 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
NiceGUI has XSS via Code Injection
NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used string interpolation instead of `json.dumps()` for the method/property name, allowing quote injection to break out of the intended string context. Version 3.8.0 contains a fix.
References
Affected products
- ==< 3.8.0
Matching in nixpkgs
pkgs.python312Packages.nicegui
Module to create web-based user interfaces
pkgs.python313Packages.nicegui
Module to create web-based user interfaces
pkgs.python314Packages.nicegui
Module to create web-based user interfaces
pkgs.python312Packages.nicegui-highcharts
NiceGUI with support for Highcharts
pkgs.python313Packages.nicegui-highcharts
NiceGUI with support for Highcharts
pkgs.python314Packages.nicegui-highcharts
NiceGUI with support for Highcharts
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>