NREL api-umbrella-web Flash Message cross site scripting
Description
api-umbrella-web 0.7.1 has an XSS in the Flash Message Handler allowing remote attackers to inject arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
api-umbrella-web 0.7.1 has an XSS in the Flash Message Handler allowing remote attackers to inject arbitrary scripts.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in api-umbrella-web version 0.7.1 within the Flash Message Handler component of the admin interface. The vulnerability arises because user-controlled fields (e.g., admin group name, username) are not properly escaped before being included in flash messages, allowing injection of arbitrary HTML and JavaScript. The patch [1] demonstrates the addition of _.escape() calls to sanitize these inputs.
Exploitation
An attacker with the ability to create or edit admin groups or admins can exploit this vulnerability remotely by submitting a crafted payload (e.g., via the group name or username field). When the form is saved, the payload is rendered as part of a flash message in the admin interface, executing in the context of an authenticated admin session. No additional user interaction is required beyond the attacker's action.
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the admin panel, potentially leading to session hijacking, data theft, defacement, or other malicious actions within the admin interface. The scope is limited to the admin context but could allow privilege escalation depending on the victim's permissions.
Mitigation
The issue is fixed in version 0.8.0 [2]. Users should upgrade to this version or apply the commit bcc0e922c61d30367678c8f17a435950969315cd manually if upgrading is not immediately possible [1]. No workarounds are documented.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=0.7.1+ 1 more
- (no CPE)range: <=0.7.1
- (no CPE)range: 0.7.1
Patches
1bcc0e922c61dVulnerability mechanics
Root cause
"The application fails to properly escape user-supplied data when constructing messages displayed to the administrator."
Attack vector
An attacker with administrative privileges can craft input that includes malicious JavaScript within fields that are later displayed in flash messages. This input is not properly escaped before being rendered in the browser, allowing the JavaScript to execute within the context of the administrator's session. This vulnerability affects multiple administrative forms, including those for groups, admins, API scopes, API users, APIs, and website backends [ref_id=1].
Affected code
The vulnerability exists in the `Admin.AdminGroupsFormController`, `Admin.AdminsFormController`, `Admin.ApiScopesFormController`, `Admin.ApiUsersFormController`, `Admin.ApisFormController`, and `Admin.WebsiteBackendsFormController` within the `app/assets/javascripts/admin/controllers` directory. Specifically, the `message` attribute in the `submit` function of these controllers was not properly escaping user-controllable data [ref_id=1].
What the fix does
The patch introduces the use of the `_.escape()` function when constructing the message strings in various admin controllers [ref_id=1]. This function properly escapes characters that have special meaning in HTML, such as `<`, `>`, and `&`. By escaping these characters, any injected JavaScript code is rendered as plain text instead of being executed, thereby mitigating the cross-site scripting vulnerability.
Preconditions
- authThe attacker must have administrative privileges to access the affected forms.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/NREL/api-umbrella-web/commit/bcc0e922c61d30367678c8f17a435950969315cdmitrepatch
- github.com/NREL/api-umbrella-web/releases/tag/v0.8.0mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.