Nextlevelbuilder UI-UX Pro Max Skill Stored Cross-Site Scripting Vulnerability in Slide Generator Component

A stored cross-site scripting vulnerability has been identified in the Nextlevelbuilder UI-UX Pro Max Skill, specifically in versions through 2.5.0. The issue resides in the Slide Generator component, within the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py. This vulnerability allows for the injection of unescaped HTML, which can be exploited to execute malicious scripts. The flaw can be triggered remotely by embedding harmful JavaScript into the JSON data input, which the Slide Generator then processes and outputs as part of an HTML presentation deck. When this generated HTML is viewed in a web browser, the injected scripts are executed, leading to potential cookie theft, session hijacking, and other malicious actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the generated HTML. This could lead to cookie theft, session hijacking, and unauthorized access to user credentials.

Reproduction

To reproduce this vulnerability, upload a JSON file containing unescaped HTML, including JavaScript payloads, to the Slide Generator. After the JSON is processed, the generated HTML will contain the injected scripts. Opening this HTML file in a web browser will trigger the execution of the injected JavaScript, demonstrating the cross-site scripting vulnerability.

Remediation

The vulnerability can be remediated by HTML-encoding all user data before embedding it into the generated HTML. Additionally, URLs injected into href attributes should be validated to ensure they do not contain harmful JavaScript: protocols.