Sudo0Xksh

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.0.0 **Description** Vikunja, a self-hosted task management platform, has a reflected HTML injection issue in the Projects module. The `filter` URL parameter is rendered into the DOM without proper output encoding when a user clicks "Filter." While `<script>` and `<iframe>` tags are blocked, tags like `<svg>`, `<a>`, `<h1>`, `<b>`, and `<u>` are rendered without restriction. This allows for SVG-based phishing buttons, external redirect links, and content spoofing within the application. The vulnerability is triggered by a crafted project filter link shared by an attacker, which, when opened by a victim and followed by a click on the "Filter" button, renders malicious content within the trusted Vikunja interface. The vulnerable component is located at the `/projects/-1/-1?filter=PAYLOAD&page=1` API endpoint, with the `filter` parameter being the vulnerable variable. The issue stems from the use of `v-html` or `innerHTML` which inserts the `filter` parameter as raw HTML without encoding. **Recommendations** Versions prior to 2.0.0: Replace `v-html` with `v-text` or `{{ }}` interpolation to auto-escape HTML. Versions prior to 2.0.0: HTML entity encode the `filter` value at the rendering point. Versions prior to 2.0.0: Replace the denylist with a DOMPurify strict allowlist or eliminate HTML rendering of filter values. Versions prior to 2.0.0: Deploy a Content Security Policy (CSP) with `form-action 'self'`. Versions prior to 2.0.0: Implement server-side input validation to reject filter values that do not match the expected syntax.

**Name of the Vulnerable Software and Affected Versions** Vikunja versions prior to 2.0.0 **Description** Vikunja, a self-hosted task management platform, does not sanitize SVG files uploaded as task attachments. This allows for the inclusion of JavaScript code within the SVG file, which executes when the file is accessed through a direct URL. The JavaScript can access the user's authentication token, stored in localStorage, potentially leading to account takeover. The application renders SVG attachments inline instead of forcing a download, enabling the execution of embedded JavaScript. The vulnerability is classified as Stored Cross-Site Scripting (XSS). A malicious SVG attachment can affect any authenticated user who accesses it, potentially allowing an attacker to execute arbitrary JavaScript, expose authentication tokens, perform actions on behalf of the victim, and potentially escalate privileges. **Recommendations** Versions prior to 2.0.0 should be updated to version 2.0.0 or later. Sanitize all uploaded SVG files to remove potentially executable content such as `<script>` elements and event handlers. Serve attachments with Content-Disposition: attachment to prevent inline rendering. Implement a strict Content Security Policy (CSP) to block script execution within uploaded files. Store authentication tokens in HttpOnly, Secure cookies instead of localStorage.