Vuetify VDatePicker Component Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability has been identified in the Vuetify library, specifically within the VDatePicker component. This issue affects Vuetify versions 2.0.0 through 3.0.0. The vulnerability arises from the title-date-format property, which allows users to pass a function that can inject unsanitized HTML into the page. The injected HTML is then executed as JavaScript, creating an XSS risk.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a Vue.js application using Vuetify 2.x. Add a VDatePicker component and set the title-date-format prop with a function that returns malicious HTML, such as an image tag with an onerror event. When the component is rendered, the injected script will execute, demonstrating the XSS vulnerability.

Remediation

Vuetify v2 is End-of-Life and will not receive updates. Users should migrate to Vuetify v3 or seek support from a commercial partner like HeroDevs.