Automa Extension for Chrome Message Handling Universal XSS
Vendor / Product information
“An extension for automating your browser by connecting blocks. From auto-fill forms, doing a repetitive task, taking a screenshot, to scraping data of the website, it’s up to you what you want to do with this extension. And you also can schedule when the automation will execute.”
Vulnerable program details
Details for tested products and versions:
Product: Automa Extension for Chrome
NOTE: Other versions than the one listed above are likely affected.
Sven Krewitt, Flashpoint
The Automa Extension for Chrome supports an Element Selector that can be used to display the XPath or a CSS selector to a DOM node on any page. By activating the browser extension and selecting Element Selector from the top menu, users can hover over and click elements of the current web page and show the XPath or CSS selector of the selected node.
The extension also supports selecting nodes in embedded iframes. To achieve this, the extension injects the content script into any web page that is loaded.
The content script provides event listeners that are used to determine the selected DOM nodes for the Element Selector. The content script also provides a message-based protocol to communicate between different iframes. A message is sent to an iframe in the messageToFrame() function in index.js, which is called by the executeBlock() function if the message contains a selector for an iframe.
No solution is currently available
2023-04-19: Vulnerability discovered
2023-04-19: Vendor contacted to requested security email address
2023-04-25: Requested security contact on GitHub
2023-05-03: Sent reminder via email
2023-05-11: Sent reminder to an additional email address
2023-05-15: Vulnerability alert sent to VulnDB customers
2023-06-15: Publication of this vulnerability report