yeah im an idiot, fixed it
1 Like
Glad you brought this back, been using it since release, I absolutely love it.
1 Like
PSA: this release essentially allows a LUA executor within NUI please don’t use it without patching it and made even worse it allows you to TriggerServerEvent. This is already possible with many resources like “bt-target” but I beg you to either patch it out or use another solution until this major vulnerability is patched.
This lacks any sort of front end protection I know qtarget has done great job for patching this exploit in bt-target qtarget/client.lua at 9032947e78ecee281c6d0a24cb08d96a256f041f · overextended/qtarget · GitHub
exploit is here: nh-context/client.lua at 8d5868e56ad33141faf0495cd6b06967ee936c1c · nerohiro/nh-context · GitHub
and with a reformed object within javascript you can post to it with whatever data.event and data.serverevent etc you want.
Can’t help but be speculative but people can inject lua events regardless with the right tools. Unless you know exactly how to pass arguments through the context nui it wouldn’t even send anything more then a trigger event with probably broken parameters. I have my own system that prevents people injecting events for my personal frameworks but those are private, nonetheless it shouldn’t have any major issues. Perhaps you can show me exactly how someone would abuse this system yourself?
$.post(https://nh-context/dataPost, JSON.stringify({“args”:[{“arg”:“warrener”},{“arg”:2}], “context”:“this is useless”, “event”:“esx:spawnVehicle”, “header”:“useless”}))
Using this post inside of any javascript script to trigger basically anything and by doing can be very dangerous for servers that aren’t patched and if you think you are invincible think again you can toggle network event log on.
$.post(https://nh-context/dataPost, JSON.stringify({“args”:[{“arg”:“99999999”},{“arg”:2}], “context”:“this is useless”, “event”:“random:job_Payout”, “header”:“useless”, “server”:true}))
1 Like
good design just a liability to run for most servers that are running QBUS and ESX and general consumer frameworks that this is targeted at.
1 Like
Spawning cars for dayssss
You don’t even need any injector or cheat menu. Simply open Devtools in F8 and paste it into console.
so good…
my compliments 
1 Like
Ill change it when I get home, I’ve never really had this issue but I also use my own framework along with anti cheat but I can see what you mean.
Thank you for bringing this to my attention, I don’t keep up with how people cheat too much.
Edit: Alright I pushed something on my phone, dunno if it’ll work, if not ill actually fix it when I get home
Now I appreciate you actually putting work to fix the problem at hand respect for that but it should have never been an issue I think people constantly overlook NUI as a potential security flaw but it can be one of the more dangerous ones that allows ANYONE to exploit.
The thought has never even passed my mind, its not something many know about apparently, also seems like something cfx might wanna look into improving to prevent such easy abuse.
well to be honest I have seen prominent CFX and FiveM Developers shame people with vulnerable NUIs and warn them the development tools are there to avoid exploits like this existing so people can find them and harden security even more.
Yes it’s frustrating, yes its work to patch but at the end of the day you created a menu context that is used by a lot of the current servers and a lot of resources require it as a dependency so people are forced into using it.
I can also suggest reaching commenting on the old thread for Context Menu V1 and telling people to update as it’s a big security risk to run the old version.
1 Like
thank you for the re-release NH!
1 Like
NH-Context v2.2
In this update I added a few new QOL features including:
- Added a disabled boolean to change a button to be unable to be pressed, along with changing the color of the button
- added a subMenu boolean to show a right arrow pointing to signify this button accesses a submenu
- added a footer string variable to have another line of text at the bottom of your button
is this backwards compatible? like scripts that use the old format will still be fine?
if you are referring to 1.0, no, youll have to update your scripts.
Is this scrollable?