ghsa-79mx-88w7-8f7q
Vulnerability from github
Published
2018-11-06 23:12
Modified
2021-09-02 21:06
Severity ?
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
XSS Filter Bypass via Encoded URL in validator
Details

Versions of validator prior to 2.0.0 contained an xss filter method that is affected by several filter bypasses. This may result in a cross-site scripting vulnerability.

Proof of Concept

The xss() function removes the word "javascript" when contained inside an attribute.

However, it does not properly handle cases where characters have been hex-encoded.

As a result, it is possible to build an input that bypasses the filter but which the browser will accept as valid JavaScript.

For example: <a href="jav&#x61;script:...">abc</a> will render as: <a href="javascript:...">abc</a>

Recommendation

The package author has decided to remove the xss filter functionality in the latest version of this module. If this feature is not currently being used, you are not affected by the vulnerability. If it is being used, updating to the latest version of the module will break your application.

In order for affected users to mitigate this vulnerability, it is necessary to use an alternative package that provides similar functionality.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "validator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-9772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:22:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `validator` prior to 2.0.0 contained an xss filter method that is affected by several filter bypasses. This may result in a cross-site scripting vulnerability.\n\n\n## Proof of Concept\nThe xss() function removes the word \"javascript\" when contained inside an attribute.\n\nHowever, it does not properly handle cases where characters have been hex-encoded. \n\nAs a result, it is possible to build an input that bypasses the filter but which the browser will accept as valid JavaScript.\n\nFor example:\n```\u003ca href=\"jav\u0026#x61;script:...\"\u003eabc\u003c/a\u003e```\nwill render as:\n```\u003ca href=\"javascript:...\"\u003eabc\u003c/a\u003e```\n\n\n## Recommendation\n\nThe package author has decided to remove the xss filter functionality in the latest version of this module. If this feature is not currently being used, you are not affected by the vulnerability. If it is being used, updating to the latest version of the module will break your application.\n\nIn order for affected users to mitigate this vulnerability, it is necessary to use an [alternative package](https://www.npmjs.com/search?q=xss%20filter\u0026page=1\u0026ranking=optimal) that provides similar functionality.",
  "id": "GHSA-79mx-88w7-8f7q",
  "modified": "2021-09-02T21:06:02Z",
  "published": "2018-11-06T23:12:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9772"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chriso/validator.js/issues/181"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-79mx-88w7-8f7q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chriso/validator.js"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/43"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97102"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XSS Filter Bypass via Encoded URL in validator"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.