Coordinated Disclosure Timeline
- 2021-11-24: Maintainer contacted
- 2021-11-25: Maintainer acknowledged the report
- 2021-11-25: Maintainer fixed the issue
Summary
Mind-elixir is prone to XSS when handling untrusted menus.
Product
Mind-elixir
Tested Version
Details
Issue 1: XSS while handling title field (GHSL-2021-1047)
An attacker that is able to influence the field name when creating a MindElixir instance is able to supply arbitrary html or javascript code that will be rendered in the context of a user, potentially leading to XSS.
Proof of concept snippet:
let options = {
el: '#map',
// create new map data
data: MindElixir.new('new topic'),
contextMenuOption: {
focus: true,
link: true,
extend: [
{
name: '<img src="foobar" onerror="alert(1)" />',
onclick: () => {
alert('extend menu')
},
},
],
}
}
let mind = new MindElixir(options)
mind.init()
// get a node
E('node-id')
Vulnerable code: contextMenu.js
let createLi = (id, name, keyname) => {
let li = document.createElement('li')
li.id = id
li.innerHTML = `<span>${name}</span><span>${keyname}</span>`
return li
}
Impact
This issue may lead to XSS
Resources
Credit
This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1047 in any communication regarding this issue.
CVE
- CVE-2021-32851
Resources
- https://github.com/ssshooter/mind-elixir-core/commit/073485269ac83af24371f35bd08507defa885655