NREL api-umbrella-web Admin Data Table cross site scripting
Description
Cross-site scripting (XSS) vulnerability in the admin data tables of api-umbrella-web 0.7.1 allows remote attackers to inject arbitrary web script or HTML.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in the admin data tables of api-umbrella-web 0.7.1 allows remote attackers to inject arbitrary web script or HTML.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Admin Data Table Handler of NREL api-umbrella-web version 0.7.1. The application fails to properly escape user-supplied data when rendering table cells in the admin interface, allowing injection of arbitrary HTML and JavaScript. The issue was addressed in commit f53a9fb and released in version 0.8.0 [1][2].
Exploitation
An attacker can exploit this vulnerability remotely by providing crafted input that is later displayed in an admin data table. No authentication is explicitly required according to the description, but the vulnerable component is part of the admin interface, suggesting that an attacker would need to be an authenticated admin user or have the ability to inject data that is viewed by an admin. The attack does not require any special privileges beyond the ability to submit data that ends up in the table.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an admin user's browser session. This could lead to session hijacking, defacement of the admin interface, or theft of sensitive information displayed in the admin panel.
Mitigation
The vulnerability is fixed in version 0.8.0 of api-umbrella-web. Users should upgrade to this version or apply the patch from commit f53a9fb [1]. The repository has been archived and is read-only, so no further updates are expected. No workarounds are documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>= 0.7.1, < 0.8.0+ 1 more
- (no CPE)range: >= 0.7.1, < 0.8.0
- (no CPE)range: 0.7.1
Patches
1f53a9fb87e10Vulnerability mechanics
Root cause
"The Admin Data Table Handler component failed to properly escape user-supplied input before rendering it in the web interface."
Attack vector
An attacker can exploit this vulnerability by injecting malicious scripts into fields handled by the Admin Data Table Handler. When these fields are displayed in the admin interface, the embedded scripts will execute in the context of the user's browser. This vulnerability can be triggered remotely, requiring no special privileges beyond the ability to interact with the affected component. The vulnerability is classified as cross-site scripting [CWE-79].
Affected code
The vulnerability resides within the Admin Data Table Handler component, specifically in how data is rendered for various tables. The commit modifies multiple files, including `app/assets/javascripts/admin.js.coffee`, to replace existing render functions with calls to the new, safer `Admin.DataTablesHelpers` functions. This affects tables like `Admin.AdminGroupsTableView`, `Admin.AdminsTableView`, `Admin.ApiScopesTableView`, `Admin.ApiUsersTableView`, `Admin.ApisTableView`, and `Admin.LogsTableView` [patch_id=4375397].
What the fix does
The patch introduces new helper functions, `renderEscaped` and `renderListEscaped`, within `Admin.DataTablesHelpers`. These functions utilize `_.escape()` to sanitize values before they are rendered in the data tables. By escaping potentially malicious characters, the fix prevents the injection and execution of arbitrary JavaScript code, thereby mitigating the cross-site scripting vulnerability [patch_id=4375397].
Preconditions
- networkThe attacker can reach the affected component over the network.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/NREL/api-umbrella-web/commit/f53a9fb87e10c457f0f3dd4f2af24d3b2f21b3camitrepatch
- github.com/NREL/api-umbrella-web/releases/tag/v0.8.0mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.