CVE-2023-46998 (Medium) detected in bootbox-5.4.0.tgz

[mend-bolt-for-github]

CVE-2023-46998 - Medium Severity Vulnerability

Vulnerable Library - bootbox-5.4.0.tgz

Wrappers for JavaScript alert(), confirm(), prompt(), and other flexible dialogs using the Bootstrap framework

Library home page: https://registry.npmjs.org/bootbox/-/bootbox-5.4.0.tgz

Path to dependency file: /passhweb/app/static/package.json

Path to vulnerable library: /passhweb/app/static/node_modules/bootbox/package.json

Dependency Hierarchy:

• ❌ bootbox-5.4.0.tgz (Vulnerable Library)

Found in HEAD commit: b0f7c98d88f4f0ef7aa1b834668853b7092da5a4

Found in base branch: master

Vulnerability Details

Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2023-11-07

URL: CVE-2023-46998

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with Mend here

[Raphux]

Proposed mitigation for Bootbox XSS (CVE-2023-46998)

Bootbox 3.2–6.0 is vulnerable and there is no fixed release.
We can mitigate by escaping any dynamic strings passed to bootbox.alert/confirm/prompt, so untrusted input is not interpreted as HTML.

1) Add a global helper (loaded everywhere)

In passhweb/app/templates/scripts/with_sidebar.html (right after jQuery):

<script>
    window.escapeHtml = function (value) {
      return String(value)
        .replace(/&/g, "&amp;")
        .replace(/</g, "&lt;")
        .replace(/>/g, "&gt;")
        .replace(/"/g, "&quot;")
        .replace(/'/g, "&#39;");
    };
</script>

2) Wrap dynamic messages

Example replacement:

bootbox.alert({ message: failed + item, className: "modal modal-danger fade in" });

becomes:

bootbox.alert({ message: escapeHtml(failed + item), className: "modal modal-danger fade in" });

Apply the same for any Bootbox message built from user-controlled input.

Files to update

• passhweb/app/static/librit/scripts/usergroup_attach_user.js
• passhweb/app/static/librit/scripts/usergroup_attach_manager.js
• passhweb/app/static/librit/scripts/usergroup_attach_usergroup.js
• passhweb/app/static/librit/scripts/target_attach_user.js
• passhweb/app/static/librit/scripts/target_attach_usergroup.js
• passhweb/app/static/librit/scripts/targetgroup_attach_user.js
• passhweb/app/static/librit/scripts/targetgroup_attach_usergroup.js
• passhweb/app/static/librit/scripts/targetgroup_attach_target.js
• passhweb/app/static/librit/scripts/targetgroup_attach_targetgroup.js
• passhweb/app/static/librit/scripts/target_download_file.js
• passhweb/app/static/librit/scripts/player_download_file.js

Notes

• This is a mitigation until Bootbox ships a fixed release.
• Alternative (larger change): replace Bootbox with native Bootstrap modals and insert text only (no HTML).