GHSA-8266-84WP-WV5C

Vulnerability from github – Published: 2024-08-30 16:49 – Updated: 2024-08-30 20:01
VLAI?
Summary
Svelte has a potential mXSS vulnerability due to improper HTML escaping
Details

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

  • If the string is an attribute value:
    • " -> "
    • & -> &
    • Other characters -> No conversion
  • Otherwise:
    • < -> &lt;
    • & -> &amp;
    • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "svelte"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-30T16:49:10Z",
    "nvd_published_at": "2024-08-30T17:15:15Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.\n\n### Details\n\nSvelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:\n\n- If the string is an attribute value:\n    - `\"` -\u003e `\u0026quot;`\n    - `\u0026` -\u003e `\u0026amp;`\n    - Other characters -\u003e No conversion\n- Otherwise:\n    - `\u003c` -\u003e `\u0026lt;`\n    - `\u0026` -\u003e `\u0026amp;`\n    - Other characters -\u003e No conversion\n\nThe assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a `\u003cnoscript\u003e` tag.\n\n### PoC\n\nA vulnerable page (`+page.svelte`):\n```html\n\u003cscript\u003e\nimport { page } from \"$app/stores\"\n\n// user input\nlet href = $page.url.searchParams.get(\"href\") ?? \"https://example.com\";\n\u003c/script\u003e\n\n\u003cnoscript\u003e\n  \u003ca href={href}\u003etest\u003c/a\u003e\n\u003c/noscript\u003e\n```\n\nIf a user accesses the following URL,\n```\nhttp://localhost:4173/?href=\u003c/noscript\u003e\u003cscript\u003ealert(123)\u003c/script\u003e\n```\nthen, `alert(123)` will be executed.\n\n### Impact\n\nXSS, when using an attribute within a noscript tag",
  "id": "GHSA-8266-84wp-wv5c",
  "modified": "2024-08-30T20:01:23Z",
  "published": "2024-08-30T16:49:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/svelte"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Svelte has a potential mXSS vulnerability due to improper HTML escaping"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.