Skip links
Book Instant Demo
Connect with Expert
Cyber Essentials Certified
Sec1

Vendor:
fabric

Product Name:
fabric

Affected Version:
1.2.0

Cross-Site Scripting (XSS)

Description:

A cross-site scripting (XSS) vulnerability has been discovered in the Fabric Open Source (https://github.com/danielmiessler/fabric) in v1.2.0. This vulnerability is present in https://github.com/danielmiessler/fabric/blob/main/installer/client/gui/static/js/index.js#L43 &  https://github.com/danielmiessler/fabric/blob/main/installer/client/gui/static/js/index.js#L159 where tempDiv.innerHTML = html function in the provided code is intended to convert HTML content to plain text. However, it directly assigns the untrusted html variable to the innerHTML property of a temporary div element without proper sanitisation or validation.This allows an attacker to inject malicious scripts or HTML into the html variable, which will be executed when assigned to innerHTML. The vulnerability lies in the lack of input validation and sanitization before using innerHTML.

The vulnerable code is located in the htmlToPlainText function:
function htmlToPlainText(html) {
var tempDiv = document.createElement("div");
tempDiv.innerHTML = html; // Vulnerable line
// ...
}

Vulnerability Type:
CWE-79: Improper Neutralisation of Input During Web Page Generation (‘Cross-site Scripting’)

Additional Information:
Steps to exploit:

  1. Prepare a malicious HTML payload that includes a script, for example:
    <script>alert('XSS');</script>
  2. Call the htmlToPlainText function with the malicious payload:
    • const maliciousHtml = “<script>alert(‘XSS’);</script>”;
    • const result = htmlToPlainText(maliciousHtml);
  3. Observe that the injected script is executed, showing an alert box with the message “XSS”.

File:

Impact:
This is a cross-site scripting (XSS) vulnerability that allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim’s browser. The vulnerability impacts any user who interacts with the application where the htmlToPlainText function is used with untrusted user input.

The potential consequences of this vulnerability include:

  • Stealing sensitive information, such as cookies or authentication tokens.
  • Performing unauthorized actions on behalf of the user.
  • Manipulating the web page’s content and behavior.
  • Redirecting users to malicious websites.

The severity of this vulnerability depends on how the htmlToPlainText function is used within the application and the sensitivity of the data it processes. If the function is used to handle user-provided content that is displayed to other users, the impact could be significant.

To mitigate this vulnerability, it is recommended to:

  • Properly sanitize and validate the html input before assigning it to innerHTML.
  • Use a library like dompurify to sanitize the HTML content.
  • Consider using safer alternatives like textContent or innerText if the plain text content is sufficient.
  • Implement a whitelist of allowed HTML elements and attributes if specific HTML formatting is required.

Remediation

Fixed Version:
No Fix Version Available

Workarounds:
None at this time.

Obtaining Software Fixes:
N/A

Contact US:
For any question related to this vulnerability or upgrade, please contact us.