GHSA-2rwj-7xq8-4gx4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2rwj-7xq8-4gx4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-2rwj-7xq8-4gx4/GHSA-2rwj-7xq8-4gx4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2rwj-7xq8-4gx4
- Aliases
- Published
- 2024-08-06T18:24:47Z
- Modified
- 2024-08-06T18:55:31Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Qwik has a potential mXSS vulnerability due to improper HTML escaping
- Details
-
Summary
A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0.
Details
Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208
- If the string is an attribute value:
"->"&->&- Other characters -> No conversion
- Otherwise:
<-><>->>&->&- Other characters -> No conversion
It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS).
PoC
A vulnerable component:
import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input const { url } = useLocation(); const href = url.searchParams.get("href") ?? "https://example.com"; return ( <div> <noscript> <a href={href}>test</a> </noscript> </div> ); });If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>then,
alert(123)will be executed.Impact
XSS
- If the string is an attribute value:
- Database specific
{ "nvd_published_at": "2024-08-06T18:15:56Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-08-06T18:24:47Z" }- References
-
- https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4
- https://nvd.nist.gov/vuln/detail/CVE-2024-41677
- https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e
- https://github.com/QwikDev/qwik
- https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208
Affected packages
npm / @builder.io/qwik
Package
- Name
- @builder.io/qwik
- View open source insights on deps.dev
- Purl
- pkg:npm/%40builder.io/qwik