NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module
🔗 CVE IDs covered (1)
📋 Description
Summary
Two filter-bypass techniques in NukeViet\Core\Request::filterAttr() and NukeViet\Core\Request::unhtmlentities() allow a low-privileged user (any account with news post permission) to store and serve arbitrary JavaScript to any visitor of the affected page.
Affected Component
vendor/vinades/nukeviet/Core/Request.php — class NukeViet\Core\Request
Vulnerability Details
Bypass 1 — Form Feed character prefix (\x0C) before event handler name
The filterAttr() method blocks event-handler attributes using:
preg_match('/^on/i', $attrSubSet[0])
PHP's trim() does not strip the ASCII Form Feed character (\x0C, U+000C). An attacker can prefix the attribute name with \x0C so that \x0Conerror does not match /^on/. The HTML5 browser parser treats \x0C as a valid whitespace separator and correctly activates the event handler.
Proof-of-concept payload (URL-encoded POST body field bodyhtml):
<img src="x" %0Conerror="alert('XSS')">
Bypass 2 — Decimal HTML entity tab (	) inside javascript: URI
unhtmlentities() strips the hex-encoded tab 	 via str_ireplace, but did not strip its decimal equivalent 	. The keyword-blocking regex /j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/si uses \s* which does not match HTML entities. The value jav	ascript:alert() passes the filter, is stored in the database, and is decoded by the browser into a working javascript: URI.
Proof-of-concept payload (inside a Markdown-style link):
[Click me](jav	ascript:alert('XSS'))
Impact
An authenticated attacker with news-posting permission can inject persistent JavaScript that executes in the browser of any user (including administrators) who views the affected article. This enables session cookie theft, credential harvesting, defacement, and further privilege escalation.
Patches
Fixed in commit <commit-sha> by modifying vendor/vinades/nukeviet/Core/Request.php:
-
filterAttr()— strip all ASCII control characters (\x00–\x20) from the attribute name before the/^on/check:$attrSubSet[0] = preg_replace('/[\x00-\x20]/', '', strtolower($attrSubSet[0])); -
unhtmlentities()— strip decimal HTML entities for all ASCII control characters (0–31) before the keyword checks:$value = preg_replace('/�*(?:3[01]|[12][0-9]|[0-9]);/', '', $value);
Workarounds
None. Update to the patched version.
Resources
- CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
- OWASP WSTG-INPV-02: Testing for Stored Cross Site Scripting
- OWASP Top 10 A03:2021 – Injection
🎯 Affected products1
- composer/nukeviet/nukeviet:< 4.6.00