Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS #1390

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

andrisecops
Copy link

@andrisecops andrisecops commented Sep 30, 2024

Descriptions

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering.

CWE-79
CVE-2024-47068


What's this PR do?

Any background context you want to provide?

Screenshots?

You have tested this PR on:

  • Windows
  • Linux/Ubuntu
  • macOS

…to XSS

## Descriptions
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use `import.meta.url` or with plugins that emit and reference asset files from code in `cjs/umd/iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized `name` attribute) are present.

### Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering. 


CWE-79
[CVE-2024-47068](https://nvd.nist.gov/vuln/detail/CVE-2024-47068)
@andersk
Copy link
Member

andersk commented Sep 30, 2024

Thanks for drawing attention to this! I did a quick audit and determined that there’s no vulnerability in Zulip Desktop (if you find otherwise, please don’t hesitate to reach out to security@zulip.com). So we’ll take this rollup update along with all others as part of our normal release process next time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants