ghsa-9f58-4465-23c7
Vulnerability from github
Published
2025-10-29 10:52
Modified
2025-10-29 10:52
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
Details

A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component.

In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed.

For example, if a field’s value contains {{ Math.random() }}, it will be executed instead of being displayed as text.

Impact

Attackers who can control content rendered through SharpShowTextField could execute arbitrary JavaScript in the context of an authenticated user’s browser.

This could lead to:

  • Theft of user session tokens.
  • Unauthorized actions performed on behalf of users.
  • Injection of malicious content into the admin panel.

Patches

The issue has been fixed in v9.11.1 of code16/sharp package.

Mitigation / Workarounds

Sanitize or encode any user-provided data that may include ({{ & }}) before displaying it in a SharpShowTextField.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "code16/sharp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T10:52:08Z",
    "nvd_published_at": "2025-10-28T21:15:40Z",
    "severity": "MODERATE"
  },
  "details": "A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component.\n\nIn affected versions, expressions wrapped in `{{` \u0026 `}}` were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed.\n\nFor example, if a field\u2019s value contains `{{ Math.random() }}`, it will be executed instead of being displayed as text.\n\n### Impact\n\nAttackers who can control content rendered through SharpShowTextField could execute arbitrary JavaScript in the context of an authenticated user\u2019s browser.\n\nThis could lead to:\n\n- Theft of user session tokens.\n- Unauthorized actions performed on behalf of users.\n- Injection of malicious content into the admin panel.\n\n### Patches\n\nThe issue has been fixed in v9.11.1 of code16/sharp package.\n\n### Mitigation / Workarounds\n\nSanitize or encode any user-provided data that may include (`{{` \u0026 `}}`) before displaying it in a SharpShowTextField.",
  "id": "GHSA-9f58-4465-23c7",
  "modified": "2025-10-29T10:52:08Z",
  "published": "2025-10-29T10:52:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62798"
    },
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/pull/654"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ViktorMares/vue-js-xss-payload-list"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/code16/sharp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/releases/tag/v9.11.1"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@sid0krypt/vue-js-reflected-xss-fae04c9872d2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.