Node.js third-party modules: XSS in Bootbox

2019-03-12T13:44:08
ID H1:508446
Type hackerone
Reporter yonjah
Modified 2019-05-04T16:52:39

Description

Hi.

Sorry for taking the time with this report.

This is already publicly disclosed issue at -https://github.com/makeusabrew/bootbox/issues/661

In essence all dialogs of bootbox vulnurable to XSS injections ( bootbox.alert("\<script\>alert(1);\</script\>"); )

This is apparently a feature to allow injecting HTML in messages but it is not very clear from the documentation.
Even though this issue has been reported for a while no changes were made to fix this issue or even update the documentation

Kind Regards,
Yoni

Impact

Websites using bootbox to display messages containing user input are vulnerable to XSS