@ui5/webcomponents-base is vulnerable to Inclusion of Functionality from Untrusted Control Sphere
59
Medium Risk
The framework validates the configured themeRoot in validateThemeRoot before creating the theme CSS <link> element that loads style variables. Protocol-relative URLs such as //attacker.example start with /, so they are treated as relative paths and resolved against the current page, producing the attacker origin and bypassing the origin allowlist that is enforced for other absolute cross-origin URLs. An application that lets untrusted input reach the themeRoot configuration therefore loads theme stylesheets from an attacker-controlled origin, enabling external CSS injection. The fix resolves protocol-relative and relative inputs to the current origin and only creates the link element from a validated, normalized theme root.
You are affected if you are using a version that falls within the vulnerable range and your application has not disabled sap-ui-theme URL-parameter configuration.
@ui5/webcomponents-base is vulnerable to Inclusion of Functionality from Untrusted Control Sphere in versions 1.12.0 - 2.17.1.
Upgrade the @ui5/webcomponents-base library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant