Primary

Context

cronoh NanoVault Cross-Site Scripting Vulnerability in xrb URL Handler

Vulnerability

A cross-site scripting vulnerability has been identified in cronoh NanoVault versions through 1.2.1. The issue arises in the xrb URL Handler component, specifically within the executeJavaScript function of main.js. This vulnerability allows for remote code execution by injecting a malicious xrb URL, which is processed by the application, executing the embedded code on the user's machine.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's machine.

Reproduction

To reproduce this vulnerability, embed a crafted xrb URL into a website. When a user clicks the link, the NanoVault application will open and execute the JavaScript payload injected into the URL. This can be verified by including a command in the payload that, for example, opens a system application like Calculator.

Added: Aug 5, 2025, 1:20 AM

Updated: Aug 5, 2025, 1:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.7

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

cronoh NanoVault Cross-Site Scripting Vulnerability in xrb URL Handler

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating