Submeter #814378: BlitzJS Blitz 3.0.2 DOM-Based XSS, Open Redirectinformação

Título	BlitzJS Blitz 3.0.2 DOM-Based XSS, Open Redirect
Descrição	A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Blitz's sign-in functionality. Applications generated using BlitzJS templates improperly trusts a URL parameter (next) during the sign-in flow. An attacker can craft a malicious link that, when opened by a user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft or unauthorized actions performed on behalf of the victim. --- CVSS v3.1 Score Justification Base Score: 8.2 (High) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Attack Vector (AV): Network (N) – The vulnerability is exploitable remotely over the network via a crafted URL. Attack Complexity (AC): Low (L) – The attack does not require complex conditions; the vulnerable code path is easily reached. The attacker only needs to know the correct parameter name. Privileges Required (PR): None (N) – No authentication or privileges are required to trigger the vulnerability. The link can be sent to any user. User Interaction (UI): Required (R) – The victim must click on the attacker's malicious link. Scope (S): Changed (C) – The vulnerable component is the client-side code, but the impact (executing arbitrary script) affects the user's browser session and the data accessible within the application's security context. Confidentiality (C): High (H) – Successful exploitation could lead to complete loss of confidentiality. An attacker can call authenticated API endpoints, access sensitive data, and other information stored in the browser's context. Integrity (I): Low (L) – An attacker could potentially modify some data or perform actions on behalf of the user. Availability (A): None (N) – The attack does not directly impact the availability of the application or its data. --- Note to moderator: The vendor was notified on March 8, 2026 with a 45-day disclosure deadline of Apr. 22, 2026. After multiple follow-up emails, the maintainer responded with "Blitz is in maintenance mode, we don’t recommend using it for new things and templates are not maintained." After waiting past the disclosure deadline and with the absence of activity on the GitHub project, I have decided to proceed with public disclosure. It is reasonable that users building projects based on BlitzJS templates are unaware of the vulnerability. Let me know if you require screenshots/evidence of the CVD email chain (I am unable to upload private documents). CVD: https://gist.github.com/TrebledJ/164c7ca6c8208b63e6937bc11984720b Vendor: https://github.com/blitz-js/ Product: https://github.com/blitz-js/blitz/ Similar VDB Entries: VDB-358037, VDB-356245
Fonte	⚠️ https://gist.github.com/TrebledJ/164c7ca6c8208b63e6937bc11984720b
Utilizador	trebledj (UID 94356)
Submissão	27/04/2026 20h11 (há 1 mês)
Moderação	25/05/2026 21h12 (28 days later)
Estado	Aceite
Entrada VulDB	365540 [blitz-js blitz até 3.0.2 em GitHub Sign-in LoginForm.tsx Próximo Script de Site Cruzado]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!