Cybersecurity specialists report the discovery of a critical vulnerability in Less.js, a widely used preprocessor language. According to the report, the flaw could be exploited by threat actors to deploy remote code execution attacks.
Threat actors can abuse this feature for remote attack deployment: “If less code is processed on the client side, an inter-site scripting (XSS) attack could result, although its server-side execution can lead to remote code execution (RCE),” says the report prepared by the firm Software Secured. All versions of Less with support for @plugin syntax are vulnerable to these scenarios.
The research includes a proof of concept (PoC) and a real-world scenario exploitation demonstration in CodePen.io, a website for creating Less.js code snippets. The operators of this website were notified about this and a solution has already been developed to address this flaw.
Later statements by research author Jeremy Buis specify that the attacks described in their post can only be exploited under certain conditions: “An example of a risk scenario is related to a feature that accepts custom styles through a given user’s Less code; a vulnerable configuration facilitates exploitation,” says the author.
Buis adds that, according to the most recent analyses, Less still does not address these issues: “As far as we know, no new reports have been issued on the plugin and the behavior of vulnerable parameters. We established communication with developers more than a year ago when faults were detected and recognized.” Finally, experts recommend upgrading to a recent version of Less and removing support for @plugin syntax in order to mitigate the risk of XSS or RCE attacks.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.