DataTables jQuery Plugin Cross-Site Scripting Vulnerability
Vulnerability
A Cross-Site Scripting (XSS) vulnerability exists in the DataTables jQuery plugin, specifically in version 1.9.2. This vulnerability allows attackers to execute arbitrary JavaScript by exploiting the sBaseName parameter in the _fnCreateCookie function. When this parameter is exposed, a malicious user can inject JavaScript code that gets executed in the context of the user's browser.
Impact
Exploitation of this vulnerability could result in Cross-Site Scripting, allowing for the execution of malicious JavaScript in the user's browser.
Reproduction
To reproduce this vulnerability, first ensure that a website is using the vulnerable DataTables jQuery plugin version 1.9.2. Then, expose the sBaseName parameter in a way that it can be accessed. Once the parameter is exposed, add a cookie named 'XSS' with a value of 'alert(6)'. After setting the cookie, the vulnerability can be demonstrated by accessing the console in the browser's developer tools, pasting a snippet of code that references the 'XSS' cookie, and executing it. If the alert dialog appears, the vulnerability has been successfully exploited.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.