GHSA-5CP4-XMRW-59WF

Vulnerability from github – Published: 2020-08-05 21:47 – Updated: 2021-10-08 21:25
VLAI?
Summary
XSS via JQLite DOM manipulation functions in AngularJS
Details

Summary

XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.

Description

JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in jqLiteBuildFragment.

One of the modifications performed expands an XHTML self-closing tag.

If jqLiteBuildFragment is called (e.g. via new JQLite(aString)) with user-controlled HTML string that was sanitized (e.g. with DOMPurify), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM.

This is similar to a bug in jQuery htmlPrefilter function that was fixed in 3.5.0.

Proof of concept

const inertPayload = `<div><style><style/><img src=x onerror="alert(1337)"/>` 

Note that the style element is not closed and <img would be a text node inside the style if inserted into the DOM as-is. As such, some HTML sanitizers would leave the <img as is without processing it and stripping the onerror attribute.

angular.element(document).append(inertPayload);

This will alert, as <style/> will be replaced with <style></style> before adding it to the DOM, closing the style element early and reactivating img.

Patches

The issue is patched in JQLite bundled with angular 1.8.0. AngularJS users using JQuery should upgrade JQuery to 3.5.0, as a similar vulnerability affects jQuery <3.5.0.

Workarounds

Changing sanitizer configuration not to allow certain tag grouping (e.g. <option><style></option>) or inline style elements may stop certain exploitation vectors, but it's uncertain if all possible exploitation vectors would be covered. Upgrade of AngularJS to 1.8.0 is recommended.

References

https://github.com/advisories/GHSA-mhp6-pxh8-r675 https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://snyk.io/vuln/SNYK-JS-ANGULAR-570058

Severity ?
5.0 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "angular"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-05T21:46:46Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nXSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to `JQLite` methods like `JQLite.prepend`, `JQLite.after`, `JQLite.append`, `JQLite.replaceWith`, `JQLite.append`, `new JQLite` and `angular.element`.\n\n### Description\n\nJQLite (DOM manipulation library that\u0027s part of AngularJS) manipulates input HTML before inserting it to the DOM in `jqLiteBuildFragment`.\n\nOne of the modifications performed [expands an XHTML self-closing tag](https://github.com/angular/angular.js/blob/418355f1cf9a9a9827ae81d257966e6acfb5623a/src/jqLite.js#L218).\n\nIf `jqLiteBuildFragment` is called (e.g. via `new JQLite(aString)`) with user-controlled HTML string that was sanitized (e.g. with [DOMPurify](https://github.com/cure53/DOMPurify)), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM.\n\nThis is similar to a bug in jQuery `htmlPrefilter` function that was [fixed in 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/).\n\n### Proof of concept\n\n```javascript\nconst inertPayload\u00a0=\u00a0`\u003cdiv\u003e\u003cstyle\u003e\u003cstyle/\u003e\u003cimg src=x onerror=\"alert(1337)\"/\u003e`\u00a0\n```\nNote that the style element is not closed and `\u003cimg` would be a text node inside the style if inserted into the DOM as-is.\nAs such, some HTML sanitizers would leave the `\u003cimg` as is without processing it and stripping the `onerror` attribute.\n\n```javascript\nangular.element(document).append(inertPayload);\n```\nThis will alert, as `\u003cstyle/\u003e` will be replaced with `\u003cstyle\u003e\u003c/style\u003e` before adding it to the DOM, closing the style element early and reactivating `img`.\n\n### Patches\nThe issue is patched in `JQLite` bundled with angular 1.8.0. AngularJS users using JQuery should upgrade JQuery to 3.5.0, as a similar vulnerability [affects jQuery \u003c3.5.0](https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2).\n\n### Workarounds\nChanging sanitizer configuration not to allow certain tag grouping (e.g. `\u003coption\u003e\u003cstyle\u003e\u003c/option\u003e`) or inline style elements may stop certain exploitation vectors, but it\u0027s uncertain if all possible exploitation vectors would be covered. Upgrade of AngularJS to 1.8.0 is recommended.\n\n### References\nhttps://github.com/advisories/GHSA-mhp6-pxh8-r675\nhttps://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2\nhttps://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6\nhttps://blog.jquery.com/2020/04/10/jquery-3-5-0-released/\nhttps://snyk.io/vuln/SNYK-JS-ANGULAR-570058",
  "id": "GHSA-5cp4-xmrw-59wf",
  "modified": "2021-10-08T21:25:58Z",
  "published": "2020-08-05T21:47:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/security-research/security/advisories/GHSA-5cp4-xmrw-59wf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6"
    },
    {
      "type": "WEB",
      "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mhp6-pxh8-r675"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular.js"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XSS via JQLite DOM manipulation functions in AngularJS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.