VvvebJs 1.7.4 has a reflective XSS vulnerability

[Hebing123]

Summary

VvvebJs 1.7.4 has a reflective cross-site scripting (XSS) vulnerability. An attacker can execute malicious code in the user's browser by inducing the user to click on a link containing malicious code.

Details

The vulnerability exists in the save.php file, which accepts input from the user and outputs it directly to the HTML page or executes it without any form of filtering or escaping.
Here is the code for the vulnerability:

VvvebJs/save.php

Lines 91 to 93 in c6422cf

	if (isset($_GET['action'])) {
	$action = $_GET['action'];
	}

VvvebJs/save.php

Line 159 in c6422cf

showError("Invalid action '$action'!");

The $_GET['action'] accepts user input without any filtration or escaping, and it's directly assigned to the $action variable. In subsequent handling, the $action variable is processed without any effective security measures, and it's directly inserted into the front-end page during error messages, thus causing an XSS vulnerability.

Proof of Concept (POC)

http(s)://save.php?action=<script>alert(%27test%27)</script>

Impact

As this is a reflective XSS vulnerability, an attacker can construct a URL containing malicious code and lure the victim to access it. Once the victim accesses this malicious link, the harmful code is executed in their browser, potentially utilizing the victim's permissions to perform other possible malicious operations.
It is recommended that developers promptly fix the aforementioned reflective XSS vulnerability.

[givanz]

Thanks for the vulnerability report, I included a fix in the latest commit c0c0545 and made a new release https://github.com/givanz/VvvebJs/releases/tag/1.7.5

[Hebing123]

This means that this issue will be fixed in 1.7.5, thanks to these developers at Vvveb team for their attention!