usd-2024-0011 | XSS in Glossarizer v1.5.2

Advisory ID: usd-2024-0011
Product: Glossarizer
Affected Version: <= v1.5.2
Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Security Risk: HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L)
Vendor URL: https://www.pebbleroad.com/
Vendor acknowledged vulnerability: No
Vendor Status: Not fixed
CVE Number: CVE-2024-42515
CVE Link: Not published yet

Dislcaimer regarding publication of unfixed vulnerabilities

Our numerous attempts to get in touch with the developers were unfortunately unsuccessful. This means that despite our best effort to avoid disclosing unpatched vulnerabilities, we also have an obligation towards the wider community of Glossarizer users to inform them of this issue even if the developers are uncooperative and seemingly unwilling to provide a fix. After all, if we were able to discover this vulnerability, malicious actors may be able to do so as well.
From our point of view this possibility outweighs the concerns associated with this disclosure.

Affected Component

https://github.com/PebbleRoad/glossarizer/blob/master/jquery.glossarize.js#L240 in the.html() function

Desciption

Glossarizer is a jQuery Plugin which allows developers to create glossaries. The vulnerability occurs when it tries to convert text into HTML.
Even if the application itself escapes special characters (e.g., <>), the library converts these encoded characters into legitimate HTML, thereby possibly causing XSS.

Proof of Concept

  1. Choose a word inside the glossary (mandatory)
  2. Append an XSS payload, e.g., <img onerror="alert(document.domain)" src="#"/> to it with encoded <>
  3. XSS triggers

Fix

The developers can address this issue by doing the following

  • Replace .html() function
  • Escape special characters before injecting the HTML into the page

Users of Glossarizer should consider if the risk of this vulnerability being exploited is acceptable.

References

  • https://github.com/PebbleRoad/glossarizer
  • https://owasp.org/www-community/attacks/xss/
  • https://api.jquery.com/html/

  • By design, any jQuery constructor or method that accepts an HTML string — jQuery(), .append(), .after(), etc. — can potentially execute code. This can occur by injection of script tags or use of HTML attributes that execute code (for example, ). Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document.

Timeline

  • 2024-03-01: Vulnerability discovered by Samir Benzammour and Kai Glauber.
  • 2024-06-05: Initial contact with developers via info@pebbleroad.com
  • 2024-07-01: Reminder sent via email and contact from https://www.pebbleroad.com/contact-us
  • 2024-07-25: Tried to file a security issue on GitHub, however the repository was set to private in the mean time. However, Gloassarizer is still available as a npm package.
  • 2024-07-29: Requested a CVE ID.
  • 2024-08-03: MITRE assigned CVE-2024-42515.
  • 2024-08-12: Sent another reminder indicating that we expect an answer by the 29th of August, otherwise we will consider disclosing the vulnerability publicly.
  • 2024-08-30: No response was received.
  • 2024-10-30: After some more time waiting for a possible response to our messages, this advisory is published to inform users of this issue.

Credits

This security vulnerability was identified by Kai Glauber and Samir Benzammour of usd AG.