漏洞描述
RevealJS postMessage before 4.3.0 contains a cross-site scripting vulnerability via the document object model.
CVE-2022-0776: RevealJS postMessage <4.3.0 - Cross-Site Scripting
PoC代码[已公开]
id: CVE-2022-0776
info:
name: RevealJS postMessage <4.3.0 - Cross-Site Scripting
author: LogicalHunter
severity: medium
description: RevealJS postMessage before 4.3.0 contains a cross-site scripting vulnerability via the document object model.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
remediation: |
Upgrade to RevealJS postMessage version 4.3.0 or later to mitigate this vulnerability.
reference:
- https://hackerone.com/reports/691977
- https://github.com/hakimel/reveal.js/pull/3137
- https://huntr.dev/bounties/be2b7ee4-f487-42e1-874a-6bcc410e4001/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0776
- https://github.com/hakimel/reveal.js/commit/32cdd3b1872ba8e2267c9e87ae216cb55f40f4d2
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0776
cwe-id: CWE-79
epss-score: 0.08012
epss-percentile: 0.91778
cpe: cpe:2.3:a:revealjs:reveal.js:*:*:*:*:*:node.js:*:*
metadata:
vendor: revealjs
product: reveal.js
framework: node.js
tags: cve,cve2022,hackerone,huntr,headless,postmessage,revealjs,node.js
headless:
- steps:
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: extract
args:
code: |
() => {
return (Reveal.VERSION <= "3.8.0" || Reveal.VERSION < "4.3.0")
}
matchers:
- type: word
part: extract
words:
- "true"
# digest: 4b0a004830460221008e5b6e567e07716ae764e77c5d3cd6f4ad0f2c341fbbca7911a1960ccab10dbe022100b5585a363a6fe47285efad7e05478ffdef20cbf1f98e8b68754ed0072558e0ee:922c64590222798bb761d5b6d8e72950