Code16 Sharp Cross-Site Scripting Vulnerability in SharpShowTextField Component
Vulnerability
A Cross-Site Scripting (XSS) vulnerability exists in Code16 Sharp versions prior to 9.11.1. The issue arises in the SharpShowTextField component, where expressions wrapped in '{{' and '}}' are evaluated by Vue. This behavior allows attackers to inject arbitrary JavaScript or HTML that executes in the browser when the content is displayed. For instance, a field value containing '{{ Math.random() }}' would be executed rather than shown as plain text.
Impact
Exploitation allows for the execution of arbitrary JavaScript in the context of an authenticated user's browser. This could result in the theft of session tokens, unauthorized actions on behalf of users, or the injection of malicious content into the admin panel.
Remediation
Users can update to Code16 Sharp version 9.11.1 or later to address this vulnerability. Additionally, it is recommended to sanitize or encode any user-provided data that may include '{{' and '}}' before displaying it in a SharpShowTextField.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.