nbubna Store Cross-Site Scripting Vulnerability in store.deep.js Component

A cross-site scripting (XSS) vulnerability has been identified in nbubna Store versions 2.14.2 and prior. This issue allows remote attackers to execute arbitrary code by injecting malicious payloads into the user-controlled parameters of the store.get method. The vulnerability arises from the use of eval to access nested object properties, which can be exploited to execute scripts in the context of the user's session.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute scripts in the context of the user's session. This could lead to stealing cookies or performing actions on behalf of the user.

Reproduction

To reproduce this vulnerability, first set a key in the store with a value that includes a nested property reference, such as 'key;alert(1337)'. Then, retrieve the value using the store.get method, which will trigger the XSS by executing the injected script. This can be done by fetching the key from localStorage or sessionStorage, where it was previously stored.

Remediation

The vulnerability can be addressed by removing the use of eval and implementing a safer method to access nested object properties. A pull request has been made to apply this patch.