Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data
Published: July 25, 2013
SECURITY IDENTIFIERS
- CVE: CVE-2013-4170 (NVD)
- GHSA: GHSA-5m48-c37x-f792
- Vendor Advisory: https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM
GEM
SEVERITY
CVSS v3.x: 6.1 (Medium)
PATCHED VERSIONS
~> 1.0.0.rc1.1
~> 1.0.0.rc2.1
~> 1.0.0.rc3.1
~> 1.0.0.rc4.1
~> 1.0.0.rc5.1
>= 1.0.0.rc6.1
DESCRIPTION
In general, Ember.js escapes or strips any user-supplied content
before inserting it in strings that will be sent to innerHTML.
However, the tagName property of an Ember.View was inserted into
such a string without being sanitized. This means that if an
application assigns a view's tagName to user-supplied data, a
specially-crafted payload could execute arbitrary JavaScript in the
context of the current domain ("XSS").
This vulnerability only affects applications that assign or bind
user-provided content to tagName.