Miggo Logo

CVE-2008-1474: Roundup vulnerability related to Cross-site scripting (XSS)

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.76409%
Published
5/1/2022
Updated
10/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rounduppip< 1.4.41.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from multiple HTMLProperty subclasses in 'templating.py' whose plain() methods lacked output escaping. The commit patching CVE-2008-1474 adds 'escape=1' parameters to these method calls and modifies the plain() method signatures to support escaping. This directly addresses XSS by ensuring user-controlled data is HTML-encoded when rendered. The changes in templates (removing 'structure' directives) further confirm the XSS mitigation strategy. Each identified function corresponds to a property type that could render untrusted data without escaping prior to the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* unsp**i*i** vuln*r**iliti*s in Roun*up ***or* *.*.* **v* unknown imp**t *n* *tt**k v**tors, som* o* w*i** m*y ** r*l*t** to *ross-sit* s*riptin* (XSS).

Reasoning

T** vuln*r**ility st*ms *rom multipl* *TMLProp*rty su**l*ss*s in 't*mpl*tin*.py' w*os* `pl*in()` m*t*o*s l**k** output *s**pin*. T** *ommit p*t**in* *V*-****-**** ***s '*s**p*=*' p*r*m*t*rs to t**s* m*t*o* **lls *n* mo*i*i*s t** `pl*in()` m*t*o* si*n