NiceGUI Cross-Site Zero-Click XSS Vulnerability in Sub-Pages Component

A cross-site scripting (XSS) vulnerability has been identified in NiceGUI, a Python-based UI framework, affecting versions 2.22.0 prior to 3.4.1. The issue arises from an unsafe implementation in the pushstate event listener of the ui.sub_pages component, which allows attackers to manipulate the URL's fragment identifier. This manipulation can be executed cross-site using an iframe, leading to potential XSS attacks.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, load a NiceGUI application version 2.22.0 through 3.4.1 that uses the 'ui.sub_pages' component. The application must not have implemented any measures to block iframe embedding. Once the page is loaded, an iframe can be used to manipulate the URL fragment, triggering the XSS vulnerability. This can be done by sending a crafted URL that includes a script payload in the fragment identifier, which will be executed when the sub-page is opened.

Remediation

Users can update to NiceGUI version 3.5.0, which patches the vulnerability. Additionally, applications can implement a middleware to block iframe embedding by setting the 'X-Frame-Options' header to 'DENY'.