Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xcXdyLWo5bW0tZmh3Ns4ABBvc

deno_doc's HTML generator vulnerable to Cross-site Scripting

Summary

Several cross-site scripting vulnerabilities existed in the deno_doc crate which lead to Self-XSS with deno doc --html.

Details & PoC

1.) XSS in generated search_index.js

deno_doc outputed a JavaScript file for searching. However, the generated file used innerHTML on unsanitzed HTML input.

https://github.com/denoland/deno_doc/blob/dc556c848831d7ae48f3eff2ababc6e75eb6b73e/src/html/templates/pages/search.js#L120-L144

2.) XSS via property, method and enum names

deno_doc did not sanitize property names, method names and enum names.

Impact

The first XSS most likely didn't have an impact since deno doc --html is expected to be used locally with own packages.

Permalink: https://github.com/advisories/GHSA-qqwr-j9mm-fhw6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcXdyLWo5bW0tZmh3Ns4ABBvc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 15 days ago
Updated: 15 days ago


CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-qqwr-j9mm-fhw6, CVE-2024-32468
References: Repository: https://github.com/denoland/deno
Blast Radius: 8.1

Affected Packages

cargo:deno_doc
Dependent packages: 11
Dependent repositories: 32
Downloads: 472,534 total
Affected Version Ranges: < 0.119.0
Fixed in: 0.119.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.12.1, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 0.49.0, 0.49.1, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 0.54.0, 0.55.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.61.0, 0.61.1, 0.62.0, 0.63.0, 0.63.1, 0.64.0, 0.65.0, 0.66.0, 0.67.0, 0.68.0, 0.69.0, 0.69.1, 0.69.2, 0.70.0, 0.71.0, 0.72.0, 0.72.1, 0.72.2, 0.73.0, 0.73.1, 0.73.2, 0.73.3, 0.73.4, 0.73.5, 0.73.6, 0.74.0, 0.74.1, 0.75.0, 0.75.1, 0.76.0, 0.77.0, 0.78.0, 0.79.0, 0.80.0, 0.81.0, 0.82.0, 0.83.0, 0.84.0, 0.85.0, 0.86.0, 0.87.0, 0.88.0, 0.89.0, 0.89.1, 0.90.0, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.94.1, 0.95.0, 0.96.0, 0.97.0, 0.98.0, 0.99.0, 0.100.0, 0.101.0, 0.102.0, 0.103.0, 0.104.0, 0.105.0, 0.106.0, 0.107.0, 0.108.0, 0.109.0, 0.110.0, 0.110.1, 0.111.0, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.115.0, 0.116.0, 0.117.0, 0.118.0
All unaffected versions: 0.119.0, 0.120.0, 0.121.0, 0.122.0, 0.123.0, 0.123.1, 0.124.0, 0.125.0, 0.127.0, 0.128.0, 0.128.1, 0.129.0, 0.130.0, 0.131.0, 0.132.0, 0.133.0, 0.134.0, 0.135.0, 0.136.0, 0.137.0, 0.138.0, 0.139.0, 0.140.0, 0.141.0, 0.141.1, 0.142.0, 0.143.0, 0.144.0, 0.145.0, 0.146.0, 0.147.0, 0.148.0, 0.149.0, 0.150.0, 0.150.1, 0.151.0, 0.152.0, 0.153.0, 0.154.0, 0.154.1, 0.155.0, 0.156.0, 0.157.0, 0.158.0, 0.159.0, 0.159.1, 0.159.2, 0.160.0, 0.161.0, 0.161.1, 0.161.2