# Vuetify VCalendar XSS Vulnerability POC (CVE-2025-1461)
This repository contains a proof of concept demonstrating the XSS vulnerability in Vuetify's VCalendar component, specifically in the `eventMoreText` prop.
## Vulnerability Details
- **CVE ID**: CVE-2025-1461
- **Affected Versions**: >=2.0.0 <3.0.0
- **Severity**: Medium (4.6)
- **Category**: Cross-Site Scripting (XSS)
## Prerequisites
- Node.js (v14-16)
- npm
## Installation
1. Clone this repository:
```bash
git clone https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461
cd nes-vuetify-pocs
```
2. Install dependencies:
```bash
npm install
```
## Running the POC
1. Start the development server:
```bash
npm run dev
```
2. Open your browser and navigate to `http://localhost:3000`
## Understanding the Vulnerability
The POC demonstrates how malicious HTML/JavaScript can be injected through the `eventMoreText` prop of the VCalendar component. When there are more events than can be displayed, the calendar shows a "more events" link that can execute arbitrary JavaScript code.
## Related Links
- [Vuetify Documentation](https://v2.vuetifyjs.com/)
- [Vuetify Calendar API](https://v2.vuetifyjs.com/en/api/v-calendar/)
- [Vuetify NES](https://herodevs.com/support/vuetify-nes)
- [CVE-2025-1461 Details](https://www.cve.org/CVERecord?id=CVE-2025-1461)
[4.0K] /data/pocs/8cf96ddee7f4a59d1f57e45125f52e1da84d395f
├── [ 636] index.html
├── [ 344] package.json
├── [ 74K] package-lock.json
├── [1.3K] README.md
├── [4.0K] src
│ ├── [3.2K] App.vue
│ ├── [4.0K] components
│ │ └── [3.3K] Reproduction.vue
│ ├── [ 147] main.js
│ └── [ 158] vuetify.js
└── [ 346] vite.config.js
2 directories, 9 files