Summary
Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of a invalid HTML tag with a template injection payload on the next line.
Details
The root cause of the vulnerability is due to the mustache expressions escaping to be done before the dom-purify module, at which point the invalid tags are removed. The mustache expressions are then no longer escaped.
PoC
Payload was executable by having an invalid HTML tag with the template payload in the next line.
<INVALID TAG>
{{ TEMPLATE CODE }}
Example:
<xyzabcd>
{{constructor.constructor('alert(1)')()}}
Impact
Due to the JWT and other possible authentication cookies having to be modified or interacted with through JavaScript as a result of the single page architecture, the HTTPOnly flag not being set to true could leave any authentication cookies vulnerable to compromise which would lead to the compromise of normal user and possibly privileged user accounts.
It should be noted that this can allow a threat actor to execute any JavaScript a developer would be able to in the context of a victims browser and is not limited to the compromise of user authentication cookies.
Et43 Analyst
Summary
Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of a invalid HTML tag with a template injection payload on the next line.
Details
The root cause of the vulnerability is due to the mustache expressions escaping to be done before the dom-purify module, at which point the invalid tags are removed. The mustache expressions are then no longer escaped.
PoC
Payload was executable by having an invalid HTML tag with the template payload in the next line.
Example:
Impact
Due to the JWT and other possible authentication cookies having to be modified or interacted with through JavaScript as a result of the single page architecture, the HTTPOnly flag not being set to true could leave any authentication cookies vulnerable to compromise which would lead to the compromise of normal user and possibly privileged user accounts.
It should be noted that this can allow a threat actor to execute any JavaScript a developer would be able to in the context of a victims browser and is not limited to the compromise of user authentication cookies.