Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Jan 2016 12:05:02 -0800
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Cc: report@...esecurity.io
Subject: CVE request: Two vulnerabilities in mapbox.js node module

Noticed these via the Node Security Project.

mapbox.js is "Mapbox JavaScript API, a Leaflet Plugin".
http://mapbox.com/mapbox.js/

Homepage: https://github.com/mapbox/mapbox.js

Download: https://www.npmjs.com/package/mapbox.js

* Content Injection via TileJSON attribute

  https://nodesecurity.io/advisories/49

  Overview:

  Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable
  to a cross-site-scripting attack in certain uncommon usage scenarios.

  If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON
  content from a non-Mapbox URL, it is possible for a malicious user with
  control over the TileJSON content to inject script content into the
  "attribution" value of the TileJSON which will be executed in the context of
  the page using Mapbox.js.

  Such usage is uncommon. The following usage scenarios are not vulnerable:

  * only trusted TileJSON content is loaded
  * TileJSON content comes only from mapbox.com URLs
  * a Mapbox map ID is supplied, rather than a TileJSON URL

  Remediation:

  Upgrade to Mapbox.js version 2.1.7. If you are still using a 1.x version and
  unable to upgrade to 2.1.7, upgrade to 1.6.5.

  Credit: John Firebaugh


* Content Injection via TileJSON Name

  https://nodesecurity.io/advisories/74

  Overview:

  Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable
  to a cross-site-scripting attack in certain uncommon usage scenarios.

  If you use L.mapbox.map and L.mapbox.shareControl it is possible for a
  malicious user with control over the TileJSON content to inject script
  content into the name value of the TileJSON. After clicking on the share
  control, the malicious code will execute in the context of the page using
  Mapbox.js.

  Such usage is uncommon. L.mapbox.shareControl is not automatically added to
  mapbox.js maps and must be explicitly added. The following usage scenarios
  are not vulnerable:

  * the map does not use a share control (L.mapbox.sharecontrol)
  * only trusted TileJSON content is loaded

  Remediation:

  Upgrade to Mapbox.js version 2.2.4. If you are still using a 1.x version and
  unable to upgrade to 2.2.4, upgrade to 1.6.6.

  If you are unable to upgrade to either 2.2.4 or 1.6.6, you can also remove
  instances of L.mapbox.shareControl from your maps.

  Credit: Alexandra Ulsh


The advisories state that a CVE has been requested, but I haven't seen any
assignments yet. Please assign CVEs as appropriate.

Thanks,
~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.