Cross-site Scripting (XSS) - DOM in mrdoob/three.js

Valid

Reported on

Jan 9th 2022


Description

DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is window.location.hash and sink is iframe.src

Proof of Concept

1 Visit

https://threejs.org/docs/index.html#javascript:alert(document%2edomain)

You will see a pop-up saying domain name

Impact

The attacker can execute malicious javascript code in victim's browser like run crypto miners, exploit 0-day remote code execution bugs in browser etc.

Occurrences

taking arbitrary src for iframe

We are processing your report and will contact the mrdoob/three.js team within 24 hours. 5 months ago
We have contacted a member of the mrdoob/three.js team and are waiting to hear back 5 months ago
Mr.doob validated this vulnerability 5 months ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rohan Sharma submitted a
4 months ago
Mr.doob
4 months ago

Maintainer


LGTM

Rohan Sharma
4 months ago

Researcher


Hi Mr.doob, I have made a PR #23245 for this patch. Once you approve the PR and then please confirm that the fix has been merged on huntr.dev report @maintainer

Mr.doob confirmed that a fix has been merged on 0c31bc 4 months ago
Rohan Sharma has been awarded the fix bounty
index.html#L503-L518 has been validated
Mr.doob
4 months ago

Maintainer


Is there a way to change the severity?

This issue has zero impact on projects that import three but github is automatically "forcing" project to upgrade because of this issue.

Jamie Slome
4 months ago

Admin


@Mr.doob - absolutely, we can help with this. Can you confirm the new CVSS vector string and score that you would like to update this report and CVE to?

Mr.doob
4 months ago

Maintainer


I think the string is correct but it only affects the gh-pages branch of the repo which is not what gets published on npm.

Users of the library shouldn't be told to upgrade. So the score should be zero?

Jamie Slome
4 months ago

Admin


Thank you for the patience today in rectifying this @Mr.doob. We will adjust the CVSS to 0 and can confirm that we have removed the CVE from this report, and revoked the CVE altogether. Apologies for the hassle!

@r0hansh - because the vulnerability/security issue is not actually in the library itself, but is instead in the documentation - we do not consider this to fall under our disclosure program policy/scope. For this reason, we cannot reward the bounties and so will set both to 0, however are happy to leave this report as valid.

Please feel free to let me know if either of you has any further questions or issues, and happy to help address them!

Mr.doob
4 months ago

Maintainer


Sounds good to me. Thanks Jamie!

Rohan Sharma
4 months ago

Researcher


Hi Jamie, no issues. sounds good to me as well.

Jamie Slome
4 months ago

Admin


Welcome ♥️

to join this conversation