Apryse WebViewer UI (React SPA inside an iframe)
CRITICAL
Your AI coding agent will run this exploit for you
See how we found a high-severity CVE in CursorYour AI coding agent will run this exploit for you
See how we found a high-severity CVE in CursorApryse WebViewer UI (React SPA inside an iframe)
v11.8 and likely earlier versions.
The WebViewer UI fetches a remote JSON configuration file from an attacker-controlled URL passed via a query parameter, leading to script execution when a config field reaches an unsafe DOM sink.
The uiConfig parameter is read from the URL and fetched without validation. A specific field in the resulting JSON reaches the Icon.js component, which uses dangerouslySetInnerHTML. While DOMParser usually strips SVG scripts, the researchers bypassed this using a <foreignObject> tag, which switches the browser from an SVG to an HTML parsing context, allowing onerror handlers to execute.