| tiêu đề | BlitzJS Blitz 3.0.2 DOM-Based XSS, Open Redirect |
|---|
| Mô tả | A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Blitz's sign-in functionality. Applications generated using BlitzJS templates improperly trusts a URL parameter (next) during the sign-in flow. An attacker can craft a malicious link that, when opened by a user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft or unauthorized actions performed on behalf of the victim.
---
CVSS v3.1 Score Justification
Base Score: 8.2 (High)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector (AV): Network (N) – The vulnerability is exploitable remotely over the network via a crafted URL.
Attack Complexity (AC): Low (L) – The attack does not require complex conditions; the vulnerable code path is easily reached. The attacker only needs to know the correct parameter name.
Privileges Required (PR): None (N) – No authentication or privileges are required to trigger the vulnerability. The link can be sent to any user.
User Interaction (UI): Required (R) – The victim must click on the attacker's malicious link.
Scope (S): Changed (C) – The vulnerable component is the client-side code, but the impact (executing arbitrary script) affects the user's browser session and the data accessible within the application's security context.
Confidentiality (C): High (H) – Successful exploitation could lead to complete loss of confidentiality. An attacker can call authenticated API endpoints, access sensitive data, and other information stored in the browser's context.
Integrity (I): Low (L) – An attacker could potentially modify some data or perform actions on behalf of the user.
Availability (A): None (N) – The attack does not directly impact the availability of the application or its data.
---
Note to moderator: The vendor was notified on March 8, 2026 with a 45-day disclosure deadline of Apr. 22, 2026. After multiple follow-up emails, the maintainer responded with "Blitz is in maintenance mode, we don’t recommend using it for new things and templates are not maintained." After waiting past the disclosure deadline and with the absence of activity on the GitHub project, I have decided to proceed with public disclosure. It is reasonable that users building projects based on BlitzJS templates are unaware of the vulnerability. Let me know if you require screenshots/evidence of the CVD email chain (I am unable to upload private documents).
CVD: https://gist.github.com/TrebledJ/164c7ca6c8208b63e6937bc11984720b
Vendor: https://github.com/blitz-js/
Product: https://github.com/blitz-js/blitz/
Similar VDB Entries: VDB-358037, VDB-356245 |
|---|
| Nguồn | ⚠️ https://gist.github.com/TrebledJ/164c7ca6c8208b63e6937bc11984720b |
|---|
| Người dùng | trebledj (UID 94356) |
|---|
| Đệ trình | 27/04/2026 20:11 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 25/05/2026 21:12 (28 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 365540 [blitz-js blitz đến 3.0.2 trên GitHub Sign-in LoginForm.tsx Tiếp theo Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|