Vuetify VCalendar Component Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Vuetify library, specifically within the VCalendar component, in versions 2.0.0 through 3.0.0. The issue arises from improper handling of the 'eventMoreText' property, which allows unsanitized HTML to be injected and executed on the page. This vulnerability occurs because the default translation function in Vuetify returns the original text as a translation key if no actual translation is found, enabling the injection of malicious scripts.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, create a Vue.js application using Vuetify 2.x. Add a VCalendar component with the 'event-more' prop enabled, and set the 'eventMoreText' prop to include malicious HTML or JavaScript code. When the calendar displays the 'more events' link, clicking it will execute the injected script.

Remediation

Users can upgrade to Vuetify NES version 2.7.3 or later, where this vulnerability has been fixed. For those using Vuetify 2.x, which is no longer supported, consider migrating to a supported version or leveraging Vuetify NES for post-EOL security support.