PT-2026-55397 · Npm · Devbridge-Autocomplete
Publicado
2026-06-22
·
Atualizado
2026-06-22
CVSS v3.1
5.4
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Summary
The default
formatGroup and formatResult functions in devbridge-autocomplete concatenate values into HTML without escaping, allowing XSS when an attacker controls (or can taint) the suggestion data source.Details
1.
formatGroup — category is interpolated raw.src/format.ts:ts
function formatGroup(suggestion, category) {
return '<div class="autocomplete-group">' + category + '</div>';
}If
groupBy is used and the grouping field of any suggestion contains HTML, that HTML is executed.2.
formatResult — early-return branch returns suggestion.value raw.src/format.ts:ts
function formatResult(suggestion, currentValue) {
if (!currentValue) {
return suggestion.value; // un-escaped
}
/* ... non-empty path escapes correctly ... */
}The early-return branch is reached when
suggest() renders with an empty currentValue, which happens with minChars: 0 and a server that returns suggestions for an empty query. The returned string is concatenated into the container's innerHTML.PoC (formatGroup)
html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>PoC: formatGroup XSS in jQuery-Autocomplete v2.0.0</title>
</head>
<body>
<input id="ac" type="text" placeholder="Type 'a' to trigger" autocomplete="off">
<script src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
<script src="dist/jquery.autocomplete.js"></script>
<script>
var poisoned = [
{ value: 'Apple', data: { category: "<img src=x onerror="alert('XSS via formatGroup')">" } },
{ value: 'Avocado', data: { category: 'Safe Group' } }
];
$('#ac').devbridgeAutocomplete({
lookup: poisoned,
groupBy: 'category',
minChars: 1
});
</script>
</body>
</html>Originally identified by an earlier human analysis; the PoC above was produced with the assistance of Claude Opus 4.7.
Impact
XSS in pages that render attacker-controllable suggestion data. The actual impact depends on what the embedding page has access to (cookies, session tokens, DOM), per standard reflected/stored XSS.
Patch
Both formatters now run their interpolated input through the browser's text-node escaping (
createElement + textContent) before producing the HTML string. Fixed in version 2.0.1.Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Devbridge-Autocomplete