XSS in webmention.js in plaidweb/webmention.js
Reported on
Jul 11th 2023
Description
webmention.js has a XSS vulnerability here. Comment name has not escaped. https://github.com/PlaidWeb/webmention.js/blob/9457e71433c0d2430bbe767ecc5b5837140d0ee4/static/webmention.js#L330
Proof of Concept
- 1 Put a webmention.js on your site
- 2 Send a webmention that includes XSS payload in
p-name
<article class="h-entry">
<span class="p-name"><img src=x onerror=alert(1)></span>
...
- 3 webmention.js will execute an alert in your site
Impact
A malicious JavaScript is evaluated on the website, which may allow the attacker to transfer private information such as cookies, which may include session information, from the victim's machine to the attacker. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site.
Occurrences
webmention.js L330
c.name should be HTML escaped.
linktext = c.name;
} else if (c.content && c.content.text) {
linkclass = "text";
linktext = extractComment(c);
}
const type = `<span class="${linkclass}">${linktext}</span>`;
SECURITY.md
5 months ago
Hi, reviewing this vulnerability it does seem valid. Since the p-name property is plaintext it should be treated as such by the client, rather than being sanitized server-side. I'll work on implementing a fix, and ensuring that other p-properties are also being correctly sanitized.
@fluffy Thank you for quick fix!
Can you assign a CVE for this vulnerability? webmention.js is widely used (I am one of them :) ) and people can update if they see the CVE.
I had attempted to from the huntr.dev interface but it wasn't clear to me how to actually do that; it just told me T"his vulnerability will not receive a CVE" with no option to overrid ethat. This is my first time using this platform, and the documentation isn't actually being very helpful. How do I assign a CVE?
OK 👌 I think there was a option button to issue a CVE when publish this issue.
@admin can you help us to assign a CVE?
I see. Let's wait for an admin. I think they can manually issue as far as I see other reports.
Hi, I've assigned a CVE to this vulnerability as requested:)
@admin Another bit of weirdness, it looks like my fix was not assigned to me. Could you look into this?
Thanks!
Hey, the issue with the fix bounty assignment has been resolved:)