Vikunja Reflected HTML Injection Vulnerability in Projects Module

A reflected HTML injection vulnerability has been identified in Vikunja, an open-source task management platform, in versions prior to 2.0.0. The issue resides in the Projects module, where the 'filter' URL parameter is injected into the DOM without proper output encoding. Although script and iframe tags are blocked, SVG, anchor, and certain formatting tags are allowed, creating opportunities for phishing attacks and content spoofing within the application.

Impact

Exploitation of this vulnerability allows for the injection of SVG elements and links, which can be used to create phishing buttons or spoofed messages that appear to come from a trusted source.

Reproduction

To reproduce this vulnerability, share a link to a project that includes a crafted 'filter' parameter payload. When the recipient opens the link and clicks the 'Filter' button, the injected content will be rendered within the Vikunja interface.

Remediation

Users can upgrade to Vikunja version 2.0.0, which addresses this vulnerability by replacing the raw HTML rendering of the 'filter' parameter with properly escaped text output.