CVE-2018-8108

Vulnerability

The bui framework's select component (versions through 2018-03-13) suffers from a cross-site scripting (XSS) vulnerability because it performs an escape operation on already-escaped text. Specifically, when the component retrieves data from an input element like workGroupList, it unescapes previously sanitized content, allowing malicious payloads to execute. [1]

Exploitation

An attacker must inject a crafted XSS payload into data that is later processed by the select component, such as the workGroupList input. The input is initially escaped (e.g., via server-side encoding), but the select component reverses that escaping when rendering, causing the payload to execute in the victim's browser. No special network position or authentication is required if the attacker can inject the data through ordinary application channels (e.g., form submission). [1]

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft, defacement, or other client-side attacks. The attacker gains the ability to perform actions on behalf of the victim within the affected application. [1]

Mitigation

The vulnerability is present in bui framework versions through 2018-03-13. No official patch or fixed version is mentioned in the reference. Users should update to a later version if available, implement strict input validation and output encoding, and deploy Content Security Policy (CSP) headers to reduce impact. The CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog. [1]