Cross-site Scripting (XSS) - DOM in mrdoob/three.js
Reported on
Jan 9th 2022
Description
DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is window.location.hash and sink is iframe.src
Proof of Concept
1 Visit
https://threejs.org/docs/index.html#javascript:alert(document%2edomain)
You will see a pop-up saying domain name
Impact
The attacker can execute malicious javascript code in victim's browser like run crypto miners, exploit 0-day remote code execution bugs in browser etc.
Occurrences
index.html L503-L518
taking arbitrary src for iframe
Hi Mr.doob, I have made a PR #23245 for this patch. Once you approve the PR and then please confirm that the fix has been merged on huntr.dev report @maintainer
Is there a way to change the severity?
This issue has zero impact on projects that import three but github is automatically "forcing" project to upgrade because of this issue.
@Mr.doob - absolutely, we can help with this. Can you confirm the new CVSS vector string and score that you would like to update this report and CVE to?
I think the string is correct but it only affects the gh-pages branch of the repo which is not what gets published on npm.
Users of the library shouldn't be told to upgrade. So the score should be zero?
Thank you for the patience today in rectifying this @Mr.doob. We will adjust the CVSS to 0 and can confirm that we have removed the CVE from this report, and revoked the CVE altogether. Apologies for the hassle!
@r0hansh - because the vulnerability/security issue is not actually in the library itself, but is instead in the documentation - we do not consider this to fall under our disclosure program policy/scope. For this reason, we cannot reward the bounties and so will set both to 0, however are happy to leave this report as valid.
Please feel free to let me know if either of you has any further questions or issues, and happy to help address them!