Blitz.js Cross-Site Scripting Vulnerability in Login Component

A cross-site scripting (XSS) vulnerability has been identified in Blitz.js versions through 3.0.2. The issue arises in the LoginForm component, where the application improperly validates a URL parameter before using it for redirection. This flaw allows attackers to inject malicious JavaScript that is executed in the context of the user's browser, potentially leading to credential theft or unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could result in stealing credentials, performing actions on behalf of the user, or, if the user is on an internal network, attacking other internal systems from the victim's browser.

Reproduction

To reproduce this vulnerability, send a crafted link to a user that includes a `next` parameter with a `javascript:` URL. When the user clicks the link and logs in, the injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, validate and sanitize the `next` parameter before using it for redirection. Ensure that the redirect path stays within the same origin and uses a safe scheme, such as HTTP or HTTPS.