CVE-2021-41924

An attacker can inject malicious JavaScript into a data field that is later displayed in the datagrid table. Because the application used `v-html` instead of `v-text` to render cell content [patch_id=6635923], the injected script executes in the browser of any user who views the affected table row. This is a classic stored Cross-Site Scripting (XSS) attack [CWE-79]. No authentication bypass is required if the attacker can create or edit records whose data appears in the grid.

The vulnerability is in `packages/Webkul/UI/src/Resources/assets/js/components/datagrid/table-body.vue`, where the `v-html` directive was used to render row content. This allowed unsanitized user-controlled data to be injected as raw HTML. The patch also addresses a broken access control issue in `packages/Webkul/Admin/src/Http/Controllers/User/AccountController.php` by blocking role/permission fields from being submitted during account updates.

The patch replaces `v-html` with `v-text` in the datagrid table-body component [patch_id=6635923]. `v-html` interprets the bound string as raw HTML, allowing script injection, while `v-text` escapes the content and renders it as plain text. This change ensures that any user-supplied data displayed in the table is safely encoded and cannot execute JavaScript. The same commit also adds server-side validation in `AccountController.php` to reject role/permission fields during account updates, though that change addresses a separate access-control issue.