#VU23459 Cross-site scripting in Viewer.js
Vulnerability identifier: #VU23459
Vulnerability risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Viewer.js
Web applications /
Modules and components for CMS
Vendor: Fengyuan Chen
Description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the "org.webjars:viewerjs" due to a lack of escaping on user inputted html entities, such as "alt", "src" and "url". A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Viewer.js: 0.1.0 - 1.3.5
External links
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-536476
http://github.com/fengyuanchen/viewerjs/commit/00771b70dde5cd07745dda30c445961e2d3e4289
http://github.com/fengyuanchen/viewerjs/commit/ddd0c3d515dd1d8ea3e0323f486fab7d2cd5631f
http://github.com/fengyuanchen/viewerjs/issues/269
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
