{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1461", "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "state": "PUBLISHED", "assignerShortName": "HeroDevs", "dateReserved": "2025-02-18T20:50:31.387Z", "datePublished": "2025-05-28T17:26:51.320Z", "dateUpdated": "2025-05-29T19:02:08.446Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "vuetify", "product": "Vuetify", "repo": "https://github.com/vuetifyjs/vuetify", "vendor": "N/A", "versions": [{"status": "affected", "version": ">=2.0.0 <3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "abze"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper neutralization of the value of the '<tt>eventMoreText</tt>' property of the '<tt><span style=\"background-color: rgb(255, 255, 255);\">VCalendar</span></tt><span style=\"background-color: rgb(255, 255, 255);\">' component&nbsp;</span>in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/xss\">Cross-Site Scripting (XSS)</a>&nbsp;attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.<br><br>This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.<br><br><b>Note:</b><br>Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see <a target=\"_blank\" rel=\"nofollow\" href=\"https://v2.vuetifyjs.com/en/about/eol/\">here</a>.<br>"}], "value": "Improper neutralization of the value of the 'eventMoreText' property of the 'VCalendar' component\u00a0in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a\u00a0 Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss \u00a0attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.\n\nThis issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.\n\nNote:\nVersion 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ ."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs", "dateUpdated": "2025-05-28T17:27:41.127Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-1461"}, {"tags": ["technical-description", "exploit"], "url": "https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned", "x_open-source"], "title": "Vuetify XSS through 'eventMoreText' prop of VCalendar", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-29T19:01:31.139781Z", "id": "CVE-2025-1461", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-29T19:02:08.446Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1461", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-29T19:01:31.139781Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-29T19:01:40.348Z"}}], "cna": {"tags": ["unsupported-when-assigned", "x_open-source"], "title": "Vuetify XSS through 'eventMoreText' prop of VCalendar", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "abze"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/vuetifyjs/vuetify", "vendor": "N/A", "product": "Vuetify", "versions": [{"status": "affected", "version": ">=2.0.0 <3.0.0", "versionType": "semver"}], "packageName": "vuetify", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-1461", "tags": ["third-party-advisory"]}, {"url": "https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461", "tags": ["technical-description", "exploit"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper neutralization of the value of the 'eventMoreText' property of the 'VCalendar' component\u00a0in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a\u00a0 Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss \u00a0attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.\n\nThis issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.\n\nNote:\nVersion 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .", "supportingMedia": [{"type": "text/html", "value": "Improper neutralization of the value of the '<tt>eventMoreText</tt>' property of the '<tt><span style=\"background-color: rgb(255, 255, 255);\">VCalendar</span></tt><span style=\"background-color: rgb(255, 255, 255);\">' component&nbsp;</span>in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/xss\">Cross-Site Scripting (XSS)</a>&nbsp;attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.<br><br>This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.<br><br><b>Note:</b><br>Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see <a target=\"_blank\" rel=\"nofollow\" href=\"https://v2.vuetifyjs.com/en/about/eol/\">here</a>.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs", "dateUpdated": "2025-05-28T17:27:41.127Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1461", "state": "PUBLISHED", "dateUpdated": "2025-05-29T19:02:08.446Z", "dateReserved": "2025-02-18T20:50:31.387Z", "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "datePublished": "2025-05-28T17:26:51.320Z", "assignerShortName": "HeroDevs"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of the value of the 'eventMoreText' property of the 'VCalendar' component\u00a0in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a\u00a0 Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss \u00a0attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.\n\nThis issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.\n\nNote:\nVersion 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ ."}], "id": "CVE-2025-1461", "lastModified": "2025-05-29T14:29:50.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary"}]}, "published": "2025-05-28T18:15:25.953", "references": [{"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "url": "https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461"}, {"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-1461"}], "sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary"}]}

{}