{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/xmldom/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["xmldom"],"_cs_severities":["high"],"_cs_tags":["xml","injection","deserialization","vulnerability"],"_cs_type":"advisory","_cs_vendors":["xmldom"],"content_html":"\u003cp\u003eThe xmldom library is susceptible to XML node injection due to a lack of validation when serializing comment nodes. Versions prior to 0.8.13 and versions between 0.9.0 and 0.9.10 are vulnerable. An attacker can inject arbitrary XML nodes into the serialized output by including comment-breaking sequences (e.g., \u003ccode\u003e--\u0026gt;\u003c/code\u003e) in the comment data. This allows them to alter the structure of the XML document. Exploitation involves crafting malicious input that leverages the library\u0026rsquo;s DOM construction and serialization flow. It matters because applications using xmldom to process potentially untrusted XML data could be coerced into generating malicious XML structures. The fix requires an opt-in \u003ccode\u003erequireWellFormed\u003c/code\u003e flag to be enabled when calling \u003ccode\u003eserializeToString()\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn application receives untrusted data intended for use in XML comment content.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003ecreateComment(data)\u003c/code\u003e in xmldom, passing the untrusted data. The library stores the data without proper validation.\u003c/li\u003e\n\u003cli\u003eThe application constructs an XML document, including the comment node created in the previous step.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eserializeToString()\u003c/code\u003e on the XML document to serialize it.\u003c/li\u003e\n\u003cli\u003eIf the untrusted data contains comment-breaking sequences, such as \u003ccode\u003e--\u0026gt;\u003c/code\u003e, the serializer prematurely terminates the comment.\u003c/li\u003e\n\u003cli\u003eThe serializer injects any subsequent content in the untrusted data as live XML markup.\u003c/li\u003e\n\u003cli\u003eThe application stores, forwards, signs, or hands the serialized XML to another parser.\u003c/li\u003e\n\u003cli\u003eThe downstream consumer trusts the altered XML structure, leading to unintended consequences, such as misconfiguration or security bypass.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to inject arbitrary XML nodes, potentially altering the structure and meaning of generated XML documents. This could lead to misconfiguration, policy bypass, or other security vulnerabilities in applications that rely on the integrity of the XML structure. The vulnerability affects applications that use xmldom to build XML from untrusted input. The number of victims depends on the usage of the vulnerable library and the exposure of applications to untrusted XML data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e version 0.8.13 or 0.9.10 or later to gain access to the fix.\u003c/li\u003e\n\u003cli\u003eAudit all calls to \u003ccode\u003eserializeToString()\u003c/code\u003e and add the \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e option when serializing comments containing potentially untrusted data.\u003c/li\u003e\n\u003cli\u003eImplement server-side input validation to sanitize comment data by removing comment-breaking sequences like \u003ccode\u003e--\u0026gt;\u003c/code\u003e before passing it to \u003ccode\u003ecreateComment()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect comment injections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-xmldom-injection/","summary":"The xmldom library is vulnerable to XML node injection, allowing attackers to inject arbitrary XML nodes into serialized output by manipulating comment content; this is mitigated by using the `requireWellFormed` option in `serializeToString` after upgrading to version 0.8.13 or 0.9.10.","title":"xmldom XML Node Injection via Comment Serialization","url":"https://feed.craftedsignal.io/briefs/2024-01-26-xmldom-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Xmldom","version":"https://jsonfeed.org/version/1.1"}