CVE-2024-0758

Name of the Vulnerable Software and Affected Versions: MolecularFaces versions prior to 0.3.0

Description: The issue allows a remote attacker to execute arbitrary JavaScript in the context of a victim browser via crafted molfiles. This is due to the viewer plugin implementation of <mol:molecule> rendering molfile data directly inside a <script> tag without any escaping, allowing arbitrary JavaScript code to be executed in the client browser.

Recommendations: For versions prior to 0.3.0, update to version 0.3.0 or later, where molfile data is now rendered as the value of a hidden <input> tag and escaped via JSF's mechanisms. As a temporary workaround, consider restricting the use of crafted molfiles until a patch is applied.