Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Epiphany Epiphany
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 264
    • Issues 264
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 25
    • Merge requests 25
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • EpiphanyEpiphany
  • Issues
  • #1612
Closed
Open
Issue created Oct 21, 2021 by Michael Catanzaro@mcatanzaroMaintainer

Various XSS, including via page titles in about:overview (CVE-2021-45085, CVE-2021-45086, CVE-2021-45087, CVE-2021-45088)

We received the following report via WebKit Bugzilla:

Specifics

The specifics of my browser- Browser: epiphany (https://wiki.gnome.org/Apps/Web) Version 40.3 WebKitGTK: 2.32.4 Build Date: Fri 13 Aug 2021 03:59:58 +0545

Description

The browser in its default page (ephy-about:overview) displays the most visited sites/pages which include a thumbnail preview of the page and the title. The title, however, isn't sanitized/encoded before being inserted in the DOM, leading to XSS.

Reproduction Steps

It might need frequent visits to a site with an XSS payload in its title. So, please be patient or see the source code on how it's being inserted. I have set up a page with XSS in the title for easier reproduction.

  1. Visit https://cm2.pw/title
  2. You can remove existing ones from ephy-about:overview to bring the recently visited page in the view
  3. When you see the page in ephy-about:overview, just open a new tab

You should see a pop-up.

Impact

Since the XSS in ephy-about:// and assuming that it's a privileged page, it completely bypasses the SOP. If there's a need for a POC, please let me know and I'd be happy to come-up with one.

Additional Details

User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15 DOM: Attached as dom.html Screenshot: Attached as ephy-xss.png

Alas, insufficient input validation. :( It's not more input validation we need. Problem is missing output encoding.

Edited Dec 16, 2021 by Michael Catanzaro
Assignee
Assign to
Time tracking