Miggo Logo

CVE-2019-11002: Materialize-css vulnerable to Cross-site Scripting in tooltip component

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.47673%
Published
4/9/2019
Updated
8/28/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
materialize-cssnpm<= 1.0.0
@materializecss/materializenpm< 1.1.0-alpha1.1.0-alpha

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the tooltip component's failure to sanitize user-controlled input (via 'data-tooltip' attributes) before rendering. Evidence from the GitHub issue #6286 shows explicit examples of XSS via <IFRAME> tags in tooltips, and the pull request #49 in the fork introduces 'unsafeHTML' flags and textContent usage to mitigate this. The core issue lies in functions handling tooltip content rendering, specifically those processing HTML without sanitization. The Tooltip.init and renderTooltip() functions are logical points where this unsafe injection would occur based on Materialize's architecture and the described vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `m*t*ri*liz*-*ss` *r* vuln*r**l* to *ross-Sit* S*riptin*. T** `tooltip` *ompon*nt *o*s not su**i*i*ntly s*nitiz* us*r input, *llowin* *n *tt**k*r to *x**ut* *r*itr*ry J*v*S*ript *o** i* t** m*li*ious input is r*n**r** *y * us*r. ##

Reasoning

T** vuln*r**ility st*ms *rom t** tooltip *ompon*nt's **ilur* to s*nitiz* us*r-*ontroll** input (vi* '**t*-tooltip' *ttri*ut*s) ***or* r*n**rin*. *vi**n** *rom t** *it*u* issu* #**** s*ows *xpli*it *x*mpl*s o* XSS vi* <I*R*M*> t**s in tooltips, *n* t*