seajs DOM Clobbering Vulnerability Leading to Cross-Site Scripting
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in seajs version 2.2.3. This issue arises from a DOM clobbering vulnerability that allows remote attackers to execute arbitrary code by injecting non-script HTML elements with unsanitized attributes. The vulnerability is rooted in how seajs determines the base URL for loading additional scripts, which can be manipulated to load malicious content from an attacker-controlled source.
Impact
Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can execute scripts in the context of the user's browser.
Reproduction
To reproduce this vulnerability, inject an image tag with an unsanitized name attribute into a web page that uses seajs. This can be done through a comment or post. The injected image tags will be processed by the seajs script loader, which will mistakenly treat them as script elements. Once the image tags are recognized, they can be used to load external scripts from an attacker-controlled server, bypassing the normal script loading mechanisms.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.