Description

The CodeIgniter framework contains a function, xss_clean(), which is intended to filter out potential XSS attacks. The xss_clean() function would only strip attributes from HTML tags that were properly closed. However, browsers which see unclosed tags can choose to parse them as though they were properly formed. For example: 

<img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'
The lack of a > at the end meant that the onerror attribute wasn`t stripped by xss_clean(). However, browsers would parse this input as a valid img tag with src and onerror attributes.

Remediation

Upgrade to the latest version of CodeIgniter (this problem was fixed in version 2.1.4).

References

CodeIgniter 2.1.3 xss_clean() Filter Bypass

Related Vulnerabilities

WordPress Plugin WP Server Health Stats Cross-Site Scripting (1.6.10)

WordPress Plugin Folders-Organize Pages, Posts and Media Library Folders with Drag and Drop Cross-Site Scripting (2.0.5)

WordPress Plugin Testimonial Rotator Cross-Site Scripting (3.0.2)

WordPress Plugin Ultimate Affiliate Pro Multiple Cross-Site Scripting Vulnerabilities (3.6)

WordPress Plugin Form Builder-Create Responsive Contact Forms Cross-Site Scripting (1.9.8.3)

Severity

High

Classification

CVE-2013-4891 CWE-80 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

XSS