Absinthe-GraphQL Absinthe_Plug Reflected Cross-Site Scripting Vulnerability in GraphiQL Interface
Vulnerability
A reflected cross-site scripting vulnerability has been identified in the Absinthe-GraphQL library, specifically within the absinthe_plug component, starting from version 1.2.0. The issue arises in the GraphiQL interface, where the js_escape function fails to properly escape backslashes in the query GET parameter. This oversight allows attackers to manipulate the input, breaking out of a JavaScript string context and executing arbitrary scripts in the user's browser.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute malicious JavaScript in the context of the victim's browser.
Reproduction
To reproduce this vulnerability, access the GraphiQL interface with a crafted query parameter that includes a backslash followed by a quote. The backslash will bypass the escaping mechanism, allowing the injected JavaScript code to execute. For example, a query string like 'xxx\');confirm(document.domain);//' would break out of the JavaScript string context and execute a command that displays an alert with the value of the document.domain.
Remediation
Users can update to the latest version of absinthe_plug, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.