Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in wenzhixin/bootstrap-table

Valid

Reported on

Apr 7th 2022


Description

Hello and thank you for the wonderful library! We use it extensively in our app. However, I think we've identified an XSS vulnerability in the Export plug-in.

If you set the exportOptions in your Bootstrap Table to true, then you can force arbitrary Javascript to execute (see the attached PoC). The problem is actually in the jQuery Table Export plug-in, and I've reported it to them as well. But I figure you might also want to fix it here, just in case.

I think the problem can be worked-around by using a corrected onCellHtmlData callback method - which it looks like the library is already attempting to do. However, as evidenced by the vuln, I think for some reason that callback isn't getting executed, and the default onCellHtmlData callback is firing instead, and that default implementation does appear to be vulnerable.

Proof of Concept

https://live.bootstrap-table.com/code/uberbrady/11033

Impact

Disclosing session cookies, disclosing secure session data, exfiltrating data to third-parties.

Occurrences

I suspect that this line isn't creating an element whose value is the enclosed callback? Or perhaps tree-shaking is removing the function? Or maybe 'uglification' is renaming the element? Either way, this method doesn't seem to be firing. In my own code, when I pass along the onCellHtmlData callback with this function, it does seem to negate the XSS vulnerability.

We are processing your report and will contact the wenzhixin/bootstrap-table team within 24 hours. 3 months ago
We have contacted a member of the wenzhixin/bootstrap-table team and are waiting to hear back 3 months ago
We have sent a follow up to the wenzhixin/bootstrap-table team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the wenzhixin/bootstrap-table team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the wenzhixin/bootstrap-table team. This report is now considered stale. 2 months ago
文翼 validated this vulnerability a month ago
Brady Wetherington has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
文翼 confirmed that a fix has been merged on b4a1e5 a month ago
文翼 has been awarded the fix bounty
to join this conversation