Hexpm Shared Authorization View Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Hexpm web application, specifically within the Shared Authorization View module. This issue allows for improper neutralization of input during web page generation, which can be exploited to execute arbitrary JavaScript in the context of the user's browser. The vulnerability arises from the OAuth Device Authorization flow, where crafted parameters are reflected in the device verification page without adequate output encoding. As a result, an attacker can send a link containing a malicious script to a victim, who, upon opening the link, would inadvertently execute the script in their browser. This vulnerability affects Hexpm versions from 617e44c71f1dd9043870205f371d375c5c4d886d prior to c692438684ead90c3bcbfb9ccf4e63c768c668a8.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute scripts in the context of the victim's browser, potentially leading to unauthorized data manipulation or interaction with the application's OAuth device authorization process.

Reproduction

To reproduce this vulnerability, initiate an OAuth Device Authorization flow by sending a request that includes a scope with a malicious payload, such as a script tag. Once the authorization link is received, open it in a browser. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Hexpm version c692438684ead90c3bcbfb9ccf4e63c768c668a8 or later to address this vulnerability.