CVE-2023-46998
Cross Site Scripting vulnerability in bootbox (npm)
What is CVE-2023-46998 About?
This is a Cross-Site Scripting (XSS) vulnerability in BootBox Bootbox.js, enabling remote attackers to execute arbitrary code. By injecting crafted payloads into alert(), confirm(), or prompt() functions, successful exploitation allows client-side code execution. This is generally easy to exploit given user interaction.
Affected Software
Technical Details
The BootBox.js library, versions 3.2 through 6.0, is susceptible to Cross-Site Scripting (XSS). This vulnerability arises because user-supplied input is inadequately sanitized before being rendered within the alert(), confirm(), and prompt() functions. An attacker can inject malicious JavaScript payloads through parameters passed to these functions. When a user interacts with an application using the vulnerable BootBox.js, the crafted payload is executed in the victim's browser within the context of the vulnerable website.
What is the Impact of CVE-2023-46998?
Successful exploitation may allow attackers to execute arbitrary client-side script code in the victim's browser, steal session cookies, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2023-46998?
Exploitation requires low to moderate complexity, depending on how the application uses Bootbox.js and if input filtering is present elsewhere. No authentication or elevated privileges are typically required for the attacker. This is a remote vulnerability, as the malicious payload is delivered via a web application. Successful exploitation often requires some form of user interaction, such as clicking a malicious link or visiting a compromised page. The risk is heightened in applications that frequently use Bootbox.js dialogs with user-supplied content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| soy-oreocato | Link | PoC for CVE-2023-46998 |
What are the Available Fixes for CVE-2023-46998?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-m4ch-4m5f-2gp6
- https://github.com/bootboxjs/bootbox
- https://github.com/soy-oreocato/CVE-2023-46998
- https://github.com/soy-oreocato/CVE-2023-46998/
- https://github.com/bootboxjs/bootbox/issues/661
- https://github.com/bootboxjs/bootbox/issues/661
- https://nvd.nist.gov/vuln/detail/CVE-2023-46998
What are Similar Vulnerabilities to CVE-2023-46998?
Similar Vulnerabilities: CVE-2023-50478 , CVE-2023-50479 , CVE-2023-50480 , CVE-2023-50481 , CVE-2023-49033
