GHSA-79MX-88W7-8F7Q

Vulnerability from github – Published: 2018-11-06 23:12 – Updated: 2021-09-02 21:06
VLAI?
Summary
XSS Filter Bypass via Encoded URL in validator
Details

Versions of validator prior to 2.0.0 contained an xss filter method that is affected by several filter bypasses. This may result in a cross-site scripting vulnerability.

Proof of Concept

The xss() function removes the word "javascript" when contained inside an attribute.

However, it does not properly handle cases where characters have been hex-encoded.

As a result, it is possible to build an input that bypasses the filter but which the browser will accept as valid JavaScript.

For example: <a href="jav&#x61;script:...">abc</a> will render as: <a href="javascript:...">abc</a>

Recommendation

The package author has decided to remove the xss filter functionality in the latest version of this module. If this feature is not currently being used, you are not affected by the vulnerability. If it is being used, updating to the latest version of the module will break your application.

In order for affected users to mitigate this vulnerability, it is necessary to use an alternative package that provides similar functionality.

Severity ?
6.1 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "validator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-9772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:22:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `validator` prior to 2.0.0 contained an xss filter method that is affected by several filter bypasses. This may result in a cross-site scripting vulnerability.\n\n\n## Proof of Concept\nThe xss() function removes the word \"javascript\" when contained inside an attribute.\n\nHowever, it does not properly handle cases where characters have been hex-encoded. \n\nAs a result, it is possible to build an input that bypasses the filter but which the browser will accept as valid JavaScript.\n\nFor example:\n```\u003ca href=\"jav\u0026#x61;script:...\"\u003eabc\u003c/a\u003e```\nwill render as:\n```\u003ca href=\"javascript:...\"\u003eabc\u003c/a\u003e```\n\n\n## Recommendation\n\nThe package author has decided to remove the xss filter functionality in the latest version of this module. If this feature is not currently being used, you are not affected by the vulnerability. If it is being used, updating to the latest version of the module will break your application.\n\nIn order for affected users to mitigate this vulnerability, it is necessary to use an [alternative package](https://www.npmjs.com/search?q=xss%20filter\u0026page=1\u0026ranking=optimal) that provides similar functionality.",
  "id": "GHSA-79mx-88w7-8f7q",
  "modified": "2021-09-02T21:06:02Z",
  "published": "2018-11-06T23:12:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9772"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chriso/validator.js/issues/181"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-79mx-88w7-8f7q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chriso/validator.js"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/43"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97102"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XSS Filter Bypass via Encoded URL in validator"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.