CVE-2020-23986

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in GitHub Read Me Stats commit 3c7220e4f7144f6cb068fd433c774f6db47ccb95. The bug resides in the renderError function within src/utils.js. When an error message is rendered, user-supplied input is not properly sanitized, enabling the injection of arbitrary HTML or JavaScript. The attack is triggered when a victim clicks on a crafted link containing malicious payload in the error parameter.

Exploitation

An attacker needs to craft a URL that points to a GitHub Read Me Stats instance and includes a malicious payload in the query string. For example, the attacker can create a link with a payload such as ?error=. If the victim clicks this link, the renderError function processes the input and renders it unsanitized, executing the injected script in the victim's browser context.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. This can result in information disclosure, including theft of cookies, session tokens, or other sensitive data accessible to the page. The attack is limited to the victim's browser and requires user interaction (clicking the link). The vulnerability is classified as reflected XSS [1].

Mitigation

The vulnerability was addressed in commit 0833e85 merged via pull request #255 on July 29, 2020. Users are recommended to update to the latest version of the github-readme-stats package that includes this fix. The commit link is provided in the reference [1]. No known workarounds exist, and the CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog.