Miggo Logo

CVE-2010-4183: HTML Purifier cross-site scripting (XSS) vulnerability

4.3

CVSS Score

Basic Information

EPSS Score
0.49563%
Published
5/13/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ezyang/htmlpurifiercomposer< 4.1.04.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization of CSS properties (background, background-image, font-family) in IE contexts. HTML Purifier uses dedicated validator classes for each CSS property. The validators for these specific properties in versions <4.1.0 lacked proper handling of IE-specific attack vectors like 'expression()' or malformed URIs. The functions directly responsible for validating these properties (in Background.php and FontFamily.php) would be the injection points, as confirmed by the vulnerability's context and HTML Purifier's architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s in *TML Puri*i*r ***or* *.*.*, w**n Int*rn*t *xplor*r is us**, *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* * *r**t** (*) ***k*roun*-im***, (*) ***k*roun*, or (*) *ont-**mily **

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* *SS prop*rti*s (***k*roun*, ***k*roun*-im***, *ont-**mily) in I* *ont*xts. *TML Puri*i*r us*s ***i**t** v*li**tor *l*ss*s *or **** *SS prop*rty. T** v*li**tors *or t**s* sp**i*i* prop*rti*s in v*r