Kyverno Policy Reporter UI v2.5.1 Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Kyverno Policy Reporter UI component prior to version 2.5.1. The issue arises in the PropertyCard.vue component, which uses Vue 3's v-html directive to inject raw HTML into the DOM. This implementation bypasses the framework's built-in auto-escaping, allowing non-URL string values to be interpreted as HTML. The vulnerability exploits the isURL() guard, which only filters strings that begin with 'http:' or 'https:'. As a result, any HTML payload not adhering to these schemes can be injected, potentially executing malicious scripts in the context of the user's browser session. The exploited data comes from Kubernetes PolicyReport properties, which can be manipulated by users with write access to PolicyReport objects in the cluster.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, a Kubernetes PolicyReport resource must be created with a property value exceeding 75 characters that does not start with 'http:' or 'https:'. When an authenticated user accesses the Policy Reporter UI and expands the corresponding result row, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Kyverno Policy Reporter UI version 2.5.2 or later, where this vulnerability has been fixed.