@nuxtjs Markdown Component Remote Script-Inclusion and Stored Cross-Site Scripting Vulnerability

A remote script-inclusion vulnerability leading to stored cross-site scripting has been identified in the @nuxtjs/mdc package, prior to version 0.17.2. This vulnerability allows a Markdown author to inject a <base> element with a malicious href. The <base> tag alters the resolution of relative URLs, enabling the injection of scripts, styles, or images from an external, attacker-controlled origin. Once loaded, any injected JavaScript executes in the context of the site.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting via remote script inclusion, with the injected script running under the site's origin, potentially leading to a full takeover of visitor sessions and execution of any actions that can be performed via injected scripts.

Reproduction

To reproduce this vulnerability, inject a <base> tag with a malicious href into Markdown that will be processed by @nuxtjs/mdc. Once the Markdown is rendered, the <base> tag will be parsed, allowing for the inclusion of scripts from the specified URL. After the page is loaded, the injected script will execute in the context of the site.

Remediation

Users are advised to sanitize or disallow <base> tags in the Markdown renderer. The safest approach is to remove them entirely. Alternatively, <base> tags can be restricted to same-origin URLs and block certain protocols like http:, https:, and data:. Until a patch is released, raw HTML can be disabled in Markdown or an external sanitizer like DOMPurify can be used to remove <base> tags.