[CVE-2013-4170] Potential XSS Exploit When Binding `tagName` to User-Supplied Data

[Tom Dale]

Potential XSS Exploit When Binding `tagName` to User-Supplied Data

This vulnerability has been assigned the CVE identifier CVE-2013-4170.

In general, Ember.js escapes or strips any user-supplied content

before inserting it in strings that will be sent to innerHTML.

However, the `tagName` property of an `Ember.View` was inserted into

such a string without being sanitized. This means that if an

application assigns a view's `tagName` to user-supplied data, a

specially-crafted payload could execute arbitrary JavaScript in the

context of the current domain ("XSS").

Versions Affected: ALL versions

Not affected: NONE

Fixed Versions: 1.0.0 RC6.1, 1.0.0 RC5.1, 1.0.0 RC4.1, 1.0.0 RC3.1,

1.0.0 RC2.1, 1.0.0 RC1.1

Impact

-------

This vulnerability only affects applications that assign or bind

user-provided content to `tagName`.

Releases

--------

Releases are available on builds.emberjs.com.

Workarounds

-----------

Escape any user-supplied value that you assign or bind to a view's

`tagName` property.

Patches

-------

To aid users who aren't able to upgrade immediately we have provided

patches for 1.0.0 RC1, 1.0.0 RC2, 1.0.0 RC3, 1.0.0 RC4, 1.0.0 RC5,

and 1.00 RC6. They are in git-am format and consist of a single changeset.

1.0.0-RC6.1.patch - Patch for 1.0.0-RC6

1.0.0-RC5.1.patch - Patch for 1.0.0-RC5

1.0.0-RC4.1.patch - Patch for 1.0.0-RC4

1.0.0-RC3.1.patch - Patch for 1.0.0-RC3

1.0.0-RC2.1.patch - Patch for 1.0.0-RC2

1.0.0-RC1.1.patch - Patch for 1.0.0-RC1

Credits

-------

This vulnerability was reported to us by Mario Heiderich of Cure53. Many

thanks for working with us on the patches and advisory.