CVE-2024-0758: 
Java vulnerability analysis and mitigation

CVE-2024-0758 affects MolecularFaces versions before 0.3.0. The vulnerability was discovered and disclosed on January 19, 2024, and involves a cross-site scripting (XSS) vulnerability that affects the software's handling of molfiles (NVD, GitHub Advisory).

The vulnerability is a cross-site scripting (XSS) issue where the viewer plugin implementation renders molfile data directly inside a tag without proper escaping. This vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating it is network accessible, requires low attack complexity, and needs user interaction (NVD).

A remote attacker can execute arbitrary JavaScript code in the context of a victim's browser through crafted molfiles. This could potentially lead to unauthorized access to sensitive browser-based information or perform actions on behalf of the victim user (GitHub Advisory).

The vulnerability has been patched in version 0.3.0 of MolecularFaces. In the patched version, molfile data is now rendered as a value of a hidden tag and properly escaped via JSF's mechanisms. Users should upgrade to version 0.3.0 or later as no other workarounds are available (GitHub Advisory).