Cybersecurity researchers at Canadian firm Software Secured identified a critical flaw in Less.js, a widely used preprocessor language. According to the report published by the firm, the vulnerability could be exploited by threat actors to achieve remote code execution attacks.Researchers report that Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites. In addition, the Less.js library supports plugins from remote sources using the @plugin syntax; these plugins must be written in JavaScript and will run when the Less code is interpreted.Attackers can abuse this feature for remote attack deployment: “If less code is processed on the client-side, an inter-site scripting (XSS) attack could result, although its server-side execution can lead to remote code execution (RCE). All versions of Less with support for @plugin syntax are vulnerable to these scenarios. Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites,” says the report published by the firm Software Secured.The report includes a proof of concept (PoC) and a real-world scenario exploitation demonstration in CodePen.io, a website for creating Less.js code snippets. The operators of this website were notified about this and a solution has already been developed to address this flaw. “The vulnerability requires certain conditions to be successful. An example vulnerable scenario might be a feature that accepts custom styling via Less code from a user. Once in a vulnerable configuration, it is straightforward to exploit the application. Buis said as far as he knows, Less has not patched the bug. The backtick behavior has been known for a while ..
Support the originator by clicking the read the rest link below.
