CesiumGS CesiumJS Cross-Site Scripting Vulnerability in Sandcastle Demo

A reflected cross-site scripting vulnerability has been identified in CesiumGS CesiumJS versions through 1.137.0. The issue resides in the Sandcastle standalone demo viewer, specifically within the 'Apps/Sandcastle/standalone.html' file. The vulnerability allows remote attackers to inject malicious scripts by manipulating the URL hash parameter, which is then executed in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed immediately in the user's browser. This could lead to theft of session cookies, authentication tokens, and other sensitive data, as well as unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, create a JSON payload containing malicious JavaScript or HTML, and encode it using DEFLATE compression followed by base64 encoding. Then, craft a URL that includes the encoded payload in the hash parameter. When this URL is accessed, the application will decode the payload and inject the malicious content into the DOM, where it will be executed.

Remediation

To address this vulnerability, it is recommended to sanitize user input by escaping HTML before inserting it into the DOM. Additionally, validate the 'baseHref' parameter against an allowlist of trusted paths, and implement a Content Security Policy that restricts script execution.