Skip to content

Clipboard-based DOM-XSS

Moderate severity GitHub Reviewed Published Aug 12, 2021 in github/paste-markdown • Updated Feb 1, 2023

Package

npm @github/paste-markdown (npm)

Affected versions

< 0.3.4

Patched versions

0.3.4

Description

Impact

A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown library. If the clipboard data contains the string <table>, a div is dynamically created, and the clipboard content is copied into its innerHTML property without any sanitization, resulting in improper execution of JavaScript in the browser of the victim (the user who pasted the code). Users directed to copy text from a malicious website and paste it into pages that utilize this library are affected.

The following @github/paste-markdown code snippet is triggered when the user pastes something and the browser's clipboard data contains an entry whose content-type is text/HTML.

function generateText(transfer: DataTransfer): string | undefined {
  if (Array.from(transfer.types).indexOf('text/html') === -1) return

  let html = transfer.getData('text/html')
  if (!/<table/i.test(html)) return

  html = html.replace(/<meta.*?>/, '')

  const el = document.createElement('div')
  el.innerHTML = html
  const tables = el.querySelectorAll('table')

  for (const table of tables) {
    if (table.closest('[data-paste-markdown-skip]')) {
      table.replaceWith(new Text(table.textContent || ''))
    }
    const formattedTable = tableMarkdown(table)
    table.replaceWith(new Text(formattedTable))
  }

  return el.innerHTML
}

Patches

A security patch was released in version 0.3.4.

Workarounds

A Content Security Policy that prevents unsafe-inline helps reduce the likelihood of this vulnerability being exploited in modern browsers.

References

@koddsson koddsson published to github/paste-markdown Aug 12, 2021
Reviewed Aug 12, 2021
Published to the GitHub Advisory Database Aug 12, 2021
Published by the National Vulnerability Database Aug 12, 2021
Last updated Feb 1, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS score

0.137%
(50th percentile)

Weaknesses

CVE ID

CVE-2021-37700

GHSA ID

GHSA-gpfj-4j6g-c4w9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.