{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unsanitized-input/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["github.com","@tdurieux/anonymous_github (vulnerable: = 2.2.0)"],"_cs_severities":["high"],"_cs_tags":["xss","github","unsanitized-input","client-side-vulnerability"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThe @tdurieux/anonymous_github application is vulnerable to cross-site scripting (XSS) due to its unsafe handling of GitHub repository content. Specifically, the application fetches README files from GitHub repositories and renders them without proper sanitization. The vulnerability lies in the client-side rendering process, where markdown is parsed using \u003ccode\u003emarked\u003c/code\u003e with the \u003ccode\u003esanitize: false\u003c/code\u003e option and then injected into the DOM via \u003ccode\u003e$sce.trustAsHtml()\u003c/code\u003e and \u003ccode\u003eng-bind-html\u003c/code\u003e, effectively bypassing AngularJS\u0026rsquo;s built-in XSS protection. An attacker can exploit this vulnerability by creating a malicious GitHub repository containing a specially crafted README file that executes arbitrary JavaScript code within the context of the Anonymous GitHub origin. This issue affects version 2.2.0 of @tdurieux/anonymous_github.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003eREADME.md\u003c/code\u003e file within the repository containing malicious JavaScript embedded within HTML tags, such as \u003ccode\u003e\u0026lt;img src=x onerror=\u0026quot;alert(document.domain)\u0026quot;\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA user navigates to the Anonymous GitHub application.\u003c/li\u003e\n\u003cli\u003eThe user enters the URL of the attacker\u0026rsquo;s malicious repository into Anonymous GitHub to anonymize it.\u003c/li\u003e\n\u003cli\u003eAnonymous GitHub fetches the \u003ccode\u003eREADME.md\u003c/code\u003e file from the attacker\u0026rsquo;s repository via GitHub\u0026rsquo;s REST API.\u003c/li\u003e\n\u003cli\u003eThe application renders the \u003ccode\u003eREADME.md\u003c/code\u003e using \u003ccode\u003emarked\u003c/code\u003e with \u003ccode\u003esanitize: false\u003c/code\u003e and injects the resulting HTML into the DOM via \u003ccode\u003e$sce.trustAsHtml()\u003c/code\u003e and \u003ccode\u003eng-bind-html\u003c/code\u003e without sanitization.\u003c/li\u003e\n\u003cli\u003eThe embedded JavaScript within the \u003ccode\u003eREADME.md\u003c/code\u003e executes in the user\u0026rsquo;s browser within the Anonymous GitHub origin.\u003c/li\u003e\n\u003cli\u003eThe attacker can then steal authentication tokens and session cookies or access other users\u0026rsquo; anonymization configurations and private repository data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the Anonymous GitHub origin. This can lead to several critical impacts, including account takeover through stealing authentication tokens and session cookies. Additionally, the attacker could potentially exfiltrate sensitive data, such as other users\u0026rsquo; anonymization configurations and private repository data via the \u003ccode\u003e/api/user\u003c/code\u003e and \u003ccode\u003e/api/repo/list\u003c/code\u003e endpoints. The application is vulnerable to Stored XSS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement proper sanitization of markdown output using DOMPurify before rendering, leveraging the existing but unused dependency.\u003c/li\u003e\n\u003cli\u003eModify the server configuration to serve HTML files with the \u003ccode\u003eContent-Disposition: attachment\u003c/code\u003e header or render them within a sandboxed iframe on a separate origin to prevent XSS.\u003c/li\u003e\n\u003cli\u003eReplace the usage of \u003ccode\u003e$sce.trustAsHtml()\u003c/code\u003e with proper \u003ccode\u003engSanitize\u003c/code\u003e usage for safe HTML binding in AngularJS.\u003c/li\u003e\n\u003cli\u003eApply the following remediation steps outlined in the advisory: HTML-escape filenames and paths in directory listing templates, and add Content Security Policy headers.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Anonymous GitHub XSS via Unsanitized Markdown\u0026rdquo; to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T18:28:32Z","date_published":"2026-05-05T18:28:32Z","id":"/briefs/2024-01-03-anonymous-github-xss/","summary":"The @tdurieux/anonymous_github application is vulnerable to cross-site scripting (XSS) because it renders unsanitized content from GitHub repositories, allowing a malicious GitHub repository to execute arbitrary JavaScript in the Anonymous GitHub origin.","title":"Anonymous GitHub Vulnerable to XSS via Unsanitized GitHub Repository Content","url":"https://feed.craftedsignal.io/briefs/2024-01-03-anonymous-github-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Unsanitized-Input","version":"https://jsonfeed.org/version/1.1"}