{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dom-xss/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["locize client SDK"],"_cs_severities":["high"],"_cs_tags":["xss","dom-xss","postMessage","locize","javascript"],"_cs_type":"advisory","_cs_vendors":["locize"],"content_html":"\u003cp\u003eThe locize client SDK, a browser module integrating the locize InContext translation editor, contains a cross-origin vulnerability in versions prior to 4.0.21. The vulnerability stems from the SDK\u0026rsquo;s failure to validate the \u003ccode\u003eevent.origin\u003c/code\u003e property when handling \u003ccode\u003ewindow.addEventListener(\u0026quot;message\u0026quot;)\u003c/code\u003e events. This allows a malicious webpage sharing a window reference with a locize-enabled host (e.g., via an iframe) to send crafted \u003ccode\u003epostMessage\u003c/code\u003e calls, triggering internal handlers without proper authorization. Successful exploitation can lead to DOM-based XSS, hijacking of the \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e properties, and CSS injection, potentially compromising the confidentiality and integrity of the application. This vulnerability was discovered via an internal security audit of the locize ecosystem.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker hosts a malicious webpage with the intent to exploit a locize-enabled application.\u003c/li\u003e\n\u003cli\u003eThe locize-enabled application embeds the attacker\u0026rsquo;s page as an iframe or has a \u003ccode\u003ewindow.opener\u003c/code\u003e/\u003ccode\u003ewindow.open\u003c/code\u003e relationship with it.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003epostMessage\u003c/code\u003e with a \u003ccode\u003esender\u003c/code\u003e field equal to \u003ccode\u003e\u0026quot;i18next-editor-frame\u0026quot;\u003c/code\u003e and a malicious payload targeted at specific handlers.\u003c/li\u003e\n\u003cli\u003eThe locize SDK\u0026rsquo;s \u003ccode\u003ewindow.addEventListener(\u0026quot;message\u0026quot;)\u003c/code\u003e handler receives the message and, without validating \u003ccode\u003eevent.origin\u003c/code\u003e, dispatches it to the internal handlers.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003eeditKey\u003c/code\u003e or \u003ccode\u003ecommitKeys\u003c/code\u003e handlers, the attacker-controlled payload values are assigned to \u003ccode\u003eitem.node.innerHTML\u003c/code\u003e or \u003ccode\u003eitem.node.setAttribute(attr, value)\u003c/code\u003e, injecting malicious scripts or HTML.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003eisLocizeEnabled\u003c/code\u003e handler, the \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e are hijacked, redirecting subsequent messages to the attacker\u0026rsquo;s window and exfiltrating translation content.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003erequestPopupChanges\u003c/code\u003e handler, malicious CSS code is injected into the popup\u0026rsquo;s inline style.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or injects malicious content into the locize-enabled application, impacting its integrity and confidentiality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical consequences. Cross-origin DOM XSS allows arbitrary code execution within the context of the vulnerable application. Hijacking \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e results in the leakage of translation content and metadata to the attacker, compromising sensitive information. CSS injection can alter the visual appearance of the application, potentially leading to phishing attacks or further exploitation. The number of victims depends on the adoption rate of vulnerable locize SDK versions prior to 4.0.21.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003elocize\u003c/code\u003e client SDK version 4.0.21 or later to patch the vulnerability. This version implements \u003ccode\u003eevent.origin\u003c/code\u003e validation in \u003ccode\u003esrc/api/postMessage.js\u003c/code\u003e, mitigating the risk of cross-origin attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Locize Client SDK DOM XSS Attempt via postMessage\u0026rdquo; to identify exploitation attempts based on manipulation of \u003ccode\u003einnerHTML\u003c/code\u003e or \u003ccode\u003esetAttribute\u003c/code\u003e in the locize context.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious \u003ccode\u003epostMessage\u003c/code\u003e events originating from unexpected domains to detect potential exploitation attempts targeting the locize SDK.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-locize-xss/","summary":"The locize client SDK versions prior to 4.0.21 are vulnerable to cross-origin DOM XSS and handler hijack due to missing origin validation in the InContext Editor, allowing attackers to inject malicious code and exfiltrate data via crafted postMessage events.","title":"locize Client SDK Cross-Origin DOM XSS and Handler Hijack Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-locize-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Dom-Xss","version":"https://jsonfeed.org/version/1.1"}