RubySec

Providing security resources for the Ruby community

CVE-2013-4170 (ember-source): Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data

ADVISORIES

GEM

ember-source

PATCHED VERSIONS

  • ~> 1.0.0.rc1.1
  • ~> 1.0.0.rc2.1
  • ~> 1.0.0.rc3.1
  • ~> 1.0.0.rc4.1
  • ~> 1.0.0.rc5.1
  • >= 1.0.0.rc6.1

DESCRIPTION

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if an application assigns a view’s tagName to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain (“XSS”).

This vulnerability only affects applications that assign or bind user-provided content to tagName.