-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
Miggo AIRoot Cause AnalysisThe vulnerability exists in the VDatePicker component of Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0. The root cause is the improper handling of the title-date-format property. This property can be a function that formats the date displayed in the picker's title. The component takes the string returned by this function and injects it into the DOM using innerHTML without prior sanitization. This allows for the injection of arbitrary HTML and JavaScript, resulting in a Cross-Site Scripting (XSS) vulnerability. The genTitle method within the VDatePicker component is identified as the vulnerable function, as it is responsible for constructing the title and applying the user-provided formatting function. Since Vuetify 2.x is End-of-Life, there is no official patch. The recommended mitigation is to upgrade to Vuetify 3.x, where the component has been redesigned, or to use a third-party long-term support service that has patched the issue in version 2.x.
VDatePicker.genTitlepackages/vuetify/src/components/VDatePicker/VDatePicker.ts
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| vuetify | npm | >= 2.0.0, < 3.0.0 | 3.0.0 |