vakata / jstree

jquery tree plugin
http://jstree.com
MIT License
5.15k stars 1.38k forks source link

The jstree package is vulnerable to Cross-Site Scripting (XSS) #2772

Closed Idris-Morae closed 1 month ago

Idris-Morae commented 8 months ago

We are using SonaType for scanning binaries that we use.

The jstree package is vulnerable to Cross-Site Scripting (XSS). The get_node() function in jstree.js passes the user input to JQuery in an unsafe manner. A remote attacker can exploit this vulnerability to execute arbitrary JavaScript in a victim's browser context.

fd63728762c93892f506e158be58a0d98034ccff.zipKarmabunny-sprout3-fd63728/src/media/js/jstree.min.js( , 3.3.6)

The application is vulnerable by using this component.

we are using vakata-jstree-3.3.16

Is there a version of this component that is not vulnerable to this specific issue?

Thanks
Kind regards Idris

vakata commented 1 month ago

get_node is an internal function. I struggle to see how you could pass user input to it - maybe it is application dependent? Please share a demo of the XSS so that I can provide a fix. Also sorry for the long delay in getting back to you. I will reopen this when there is a way to reproduce the issue.