Vikunja Cross-Site Scripting Vulnerability in Task Glance Tooltip Component

A cross-site scripting (XSS) vulnerability has been identified in Vikunja versions prior to 1.1.0. The issue arises in the TaskGlanceTooltip.vue component, where a temporary div is created to display task descriptions. Due to a lack of proper escaping on both the server and client sides, a malicious user can inject unescaped HTML into a task description. When another user hovers over the task, the injected HTML is executed, leading to XSS. This vulnerability can be exploited by sharing a project containing the malicious task description.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the user.

Reproduction

To reproduce this vulnerability, create a project and add a task with a description. Use the API to update the task with unescaped HTML, such as an image tag with an 'onerror' event. Share the project with any permission level, then view the task to trigger the XSS.

Remediation

Users are advised to upgrade to Vikunja version 1.1.0, which addresses this vulnerability by implementing proper HTML parsing and escaping. The latest version can be downloaded from the Vikunja releases page or via the Docker hub.