CVE-2023–39683: DOM XSS on JSON Source Code Panel in zalify/easy-email
CVE-2023-39683
Description: Cross Site Scripting vulnerability in EasyEmail to all current versions allows a local attacker to execute arbitrary code via the user input parameter(s).
Affected Components:
- https://github.com/zalify/easy-email/blob/master/packages/easy-email-extensions/src/AttributePanel/components/adapter/Json.adapter.ts
- https://github.com/zalify/easy-email/blob/master/packages/easy-email-extensions/src/SourceCodePanel/index.tsxUpdate: The vulnerability was found in version 4.12.2. As such, the CVE should reflect the last known version to be vulnerable. However, all versions up to date are still vulnerable to this, and there are no plans to fix this as per the developer’s intent.
Description
Due to the usage of an eval function on the event.target.value, DOM XSS was possible while editing the JSON Source Code Panel. I could pop an alert using the following proof of concept, but any other javascript code execution would be possible as well. In the interest of keeping the report succinct, I have opted to report this as a DOM XSS though. The vulnerability is because of the following code in the codepath here.
const onChangeCode = useCallback(
(event: React.FocusEvent<HTMLTextAreaElement>) => {
try {
const parseValue = JSON.parse(
JSON.stringify(eval('(' + event.target.value + ')'))
) as IBlockData;
...From this it can be seen that the eval was called on the value without any sanitisation. A simple fix would be to do something like this instead:
const parseValue = JSON.parse(`${ event.target.value}`)which would get rid of the need to eval the value before anything else.
Proof of Concept
Enter the following payload after selecting a template, and then mouse away and click elsewhere to trigger the onblur change.
{
"type": "page",
"payload": alert(1),
... (can be deleted without changing the overall execution of the payload above) ...
}Impact
Potentially executing js code on the browser.
