Summary
w3c/css-validator is vulnerable to cross-site scripting (XSS) due to insufficient input sanitization.
Product
Tested Version
Commit 54d68a1a
Details
The css-validator application takes a URI as input.
For example, here the URI is file:///<script>alert("xss")</script>.css in http://localhost:8080/css-validator/validator?uri=file%3A%2F%2F%2F%3Cscript%3Ealert(%22xss%22)%3C/script%3E.css&profile=css3svg&usermedium=all&warning=1&vextwarning=&lang=en.
In case of a CSS error, this URI is saved in the field sourceFile and it is also saved in the error message.
They are passed to the template engine here and here.
After that the values are read in the template and reflected back to the user unescaped here and here, causing XSS.
Impact
XSS.
CVE
Github Advisories
Coordinated Disclosure Timeline
- 2020-06-15: Asked to open a Github security advisory.
- 2020-06-18: Invited to Github security advisory.
- 2020-06-19: Issue is patched.
- 2020-06-19: Advisory is published.
- 2020-06-20: CVE is assigned.
Credit
This issue was discovered and reported by @intrigus-lgtm.
Contact
You can contact the ISL at isl@intrigus.org. Please include a reference to ISL-2020-003 in any communication regarding this issue.