brettz9
commented
3 years ago Could we get this high severity XSS vulnerability security bug looked at?
Open huntr-helper opened 4 years ago
brettz9
commented
3 years ago Could we get this high severity XSS vulnerability security bug looked at?
brettz9
commented
3 years ago If the project is abandoned, please let us know, but if not, it's coming close to a year for a couple lines fix for a security bug... Thanks!
covalesj
commented
1 year ago Just a ping on this -- its a high vuln, with a fix, can someone with writeaccess merge this in?
https://huntr.dev/users/Mik317 has fixed the Cross-site Scripting (XSS) vulnerability π¨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program π΅. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/form/pull/1 GitHub Issue URL | https://github.com/jquery-form/form/issues/464 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/form/1/README.md
User Comments:
π Metadata *
Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.
Bounty URL: https://www.huntr.dev/bounties/1-npm-form
βοΈ Description *
The
formlibrary suffered of aXSSissue, which was caused by 2 minor issues inside thecode, which made possible the usage ofevalonunsanitized values(inside the "override" ofparseJSON) andhtml parsingon aunsanitized AJAX response.π» Technical Description *
The 2 issues have been fixed in the following way:
The
evalinside theparseJSONfunction has been removed, while it's been added aerrorwhich arises when the default$.parseJSONfunction (onjquery) isn't declared (anyone with good intentions would simply add thejqueryscript on the page and all works correctly again).The
)
unsanitized AJAX responsewas previously passed toparseHTMLwithout any check, making possible inject additionalHTML. I used a peculiarity ofjqueryto translate theHTMLnodes evaluated intotext nodes, which are equal toHTML encoded entities(can be verified seeing this:π Proof of Concept (PoC) *
No PoC was provided, so I worked mostly theoretically on the issue/lines identified by the 2 issues in the
original repoπ₯ Proof of Fix (PoF) *
Theoretical fix :smile:
π User Acceptance Testing (UAT)
Can't be sure of this but seems all OK (nodes are still nodes of different type and a function is null --> arises exception due to a function undefined)