Apryse WebViewer UI (React SPA inside an iframe)
CRITICAL
AI helps write your code.
See how Novee helps it fix your vulnerabilitiesAI helps write your code.
See how Novee helps it fix your vulnerabilitiesApryse WebViewer UI (React SPA inside an iframe)
v11.8 and likely earlier versions.
The WebViewer UI fetches a remote JSON configuration file from an attacker-controlled URL passed via a query parameter, leading to script execution when a config field reaches an unsafe DOM sink.
The uiConfig parameter is read from the URL and fetched without validation. A specific field in the resulting JSON reaches the Icon.js component, which uses dangerouslySetInnerHTML. While DOMParser usually strips SVG scripts, the researchers bypassed this using a <foreignObject> tag, which switches the browser from an SVG to an HTML parsing context, allowing onerror handlers to execute.