skip to content
Back to GitHub.com
Home Research Advisories CodeQL Wall of Fame Get Involved Events
December 15, 2021

GHSL-2021-1045: Cross-Site Scripting (XSS) in jQuery MiniColors Plugin - CVE-2021-32850

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

jQuery MiniColors Plugin is prone to XSS when handling untrusted color names.

Product

jQuery MiniColors Plugin

Tested Version

2.3.5

Details

Issue 1: XSS while handling color names (GHSL-2021-1045)

An attacker that is able to influence the name of a color can supply arbitrary html or javascript code that will be rendered in the context of a user, potentially leading to XSS.

Proof of concept snippet:

var settings = {
  swatches: [
    { name: '"> <img src="foobar" onerror="alert(2)" /> <', color: "black" }
  ]
};
$('input.minicolors').minicolors(settings);

Vulnerable code: jquery.minicolors.js

  $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color" title="' + name + '"></span></li>')
    .appendTo(swatches)
    .data('swatch-color', swatchString)
    .find('.minicolors-swatch-color')
    .css({
      backgroundColor: ((swatchString !== 'transparent') ? rgb2hex(swatch) : 'transparent'),
      opacity: String(swatch.a)
    });

Impact

This issue may lead to XSS

Resources

CVE

Resources

Credit

This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1045 in any communication regarding this issue.