HTML Injection

Affecting ag-grid package, versions >=3.3.0 <5.0.0-alpha.0

Do your applications use this vulnerable package? Test your applications

Overview

ag-grid is an advanced Data Grid / Data Table supporting Javascript / React / AngularJS / Web Components.

Affected versions of the package are vulnerable to HTML Injection. ag-grid used mozilla's Element.innerHTML, which is vulnerable to Cross-site Scripting (XSS) attacks when used within a user-inputted value. In this case an attacker could insert a malicious username and initiate a XSS attack, like:

<span onclick="alert('hacked!')">John Smith</span>

Remediation

Upgrade ag-grid to version 5.0.0 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Theodore Brown
CWE
CWE-80
Snyk ID
npm:ag-grid:20160519
Disclosed
18 May, 2016
Published
16 Mar, 2017