MQTTX Cross-Site Scripting Vulnerability
Vulnerability
A Cross-Site Scripting (XSS) vulnerability exists in MQTTX versions prior to 1.12.1. This issue arises from improper handling of MQTT message payloads, allowing malicious HTML or JavaScript to be rendered in the message viewer. Exploitation could enable attackers to execute scripts within the application UI context, potentially accessing MQTT connection credentials or triggering unintended actions. The vulnerability is particularly concerning in untrusted or multi-tenant environments, where message content is not fully controlled.
Impact
Exploitation allows for Cross-Site Scripting (XSS) attacks, where injected scripts are executed in the context of the application UI. This could lead to unauthorized access to MQTT connection credentials or the execution of unintended actions through script injection.
Remediation
Users should upgrade to MQTTX version 1.12.1 or later. If an immediate upgrade is not possible, avoid connecting to untrusted brokers or topics and manually inspect suspicious payloads before rendering.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.