Skip to content

JavaScript execution via malicious molfiles (XSS)

Moderate severity GitHub Reviewed Published Apr 13, 2021 in ipb-halle/MolecularFaces • Updated Jan 9, 2023

Package

maven de.ipb-halle:molecularfaces (Maven)

Affected versions

< 0.3.0

Patched versions

0.3.0

Description

Impact

The viewer plugin implementation of <mol:molecule> renders molfile data directly inside a <script> tag without any escaping. Arbitrary JavaScript code can thus be executed in the client browser via crafted molfiles.

Patches

Patched in v0.3.0: Molfile data is now rendered as value of a hidden <input> tag and escaped via JSF's mechanisms.

Workarounds

No workaround available.

References

@flange-ipb flange-ipb published to ipb-halle/MolecularFaces Apr 13, 2021
Reviewed Apr 13, 2021
Published to the GitHub Advisory Database Apr 16, 2021
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-2pwh-52h7-7j84

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.