Cross-site Scripting (XSS) Affecting foundation-sites package, versions [,6.0.0)
Threat Intelligence
Snyk has a published code exploit for this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-DOTNET-FOUNDATIONSITES-60154
- published2 Aug 2017
- disclosed2 Aug 2017
- creditNathaniel Paulus
Introduced: 2 Aug 2017
CVE NOT AVAILABLE CWE-79 (opens in a new tab)How to fix?
Upgrade foundation-sites to version 6.0.0 or higher.
Overview
foundation-sites is an advanced responsive front-end framework.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to an insufficient fix to npm:foundation-sites:20150619
Thanks to Nathaniel Paulus for disclosing this vulnerability!
Although innerHTML does not make script tags executable, script tags are not the only way to run arbitrary code.
This vulnerability was introduced in a deliberate attempt to allow HTML in captions. The file was subsequently deleted when version 6 was merged into the develop branch in 1e08494bb2118c9786ffc33c28158311cd542bcb. Confirmation of its removal (as well as plans to re-add it) can be found in issue 7759
Details
<>
You can read more about Cross-site Scripting (XSS) on our blog.
Disclosure Timeline
- March 14th, 2017 - Responsible Disclosure and PoC sent by Nathaniel Paulus.
- April 13th, 2017 - Disclosure to first contact @foundation-sites
- May 14th, 2017 - Disclosure to first and secondary contacts @foundation-sites
- June 12th, 2017 - After no response from either contact, PoC sent to both contacts.
- August 2nd, 2017 - Vulnerability made public.