CVE-2024-41677

MEDIUM6.3EPSS 0.61%

Qwik has a potential mXSS vulnerability due to improper HTML escaping

Published: 8/6/2024Modified: 8/6/2024
Also known as:GHSA-2rwj-7xq8-4gx4

Description

### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 - If the string is an attribute value: - `"` -> `&quot;` - `&` -> `&amp;` - Other characters -> No conversion - Otherwise: - `<` -> `&lt;` - `>` -> `&gt;` - `&` -> `&amp;` - Other characters -> No conversion It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). ## PoC A vulnerable component: ```javascript import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input const { url } = useLocation(); const href = url.searchParams.get("href") ?? "https://example.com"; return ( <div> <noscript> <a href={href}>test</a> </noscript> </div> ); }); ``` If a user accesses the following URL, ``` http://localhost:4173/?href=</noscript><script>alert(123)</script> ``` then, `alert(123)` will be executed. ### Impact XSS

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
osvCVSS 3.1MEDIUM6.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References (5)