[CVE-2014-0014] Potential XSS Exploit With User-Supplied Data When Using {{group}} Helper

[Tom Dale]

Potential XSS Exploit With User-Supplied Data When Using {{group}} Helper

This vulnerability has been assigned the CVE identifier CVE-2014-0014.

In general, Ember.js escapes or strips any user-supplied content before

inserting it in strings that will be sent to innerHTML.  However, we have

identified a vulnerability that could lead to unescaped content being inserted

into the innerHTML string without being sanitized.

When using the `{{group}}` helper, user supplied content in the template was not

being sanitized. Though the vulnerability exists in Ember.js proper, it is only

exposed via the use of an experimental plugin.

In applications that use the `{{group}}` helper, a specially-crafted payload

could execute arbitrary JavaScript in the context of the current domain

("XSS").

Versions Affected: ALL versions

Not affected: NONE

Fixed Versions: 1.0.1, 1.1.3, 1.2.1, 1.3.1, 1.4.0-beta.2

Impact

-------

This vulnerability only affects applications that use the `{{group}}` helper

to display user-provided content.

Releases

--------

Releases are available on emberjs.com/builds/#/tagged

Workarounds

-----------

Ensure that you escape any user-supplied value that you use from the

`{{group}}` helper.

Patches

-------

To aid users who aren't able to upgrade immediately we have provided

patches for 1.0.0, 1.1.2, 1.2.0, 1.3.0, and 1.4.0-beta.1. They are in

git-am format and consist of a single changeset.

patch_for_1.0.0.diff

patch_for_1.1.2.diff

patch_for_1.2.0.diff

patch_for_1.3.0.diff

patch_for_1.4.0-beta.1.diff

Credits

-------

This vulnerability was reported to us by Edward Faulkner of CleriCare. Many

thanks for working with us on the patches and advisory.