Miggo Logo
Miggo Vulnerability Database
CVE-2012-6131

CVE-2012-6131: Roundup Cross-site scripting (XSS) vulnerability

4.3

CVSS Score

Basic Information

CVE ID
CVE-2012-6131
GHSA ID
GHSA-gw2q-cgvq-9g3v
EPSS Score
0.60343%
CWE
CWE-79
Published
5/17/2022
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rounduppip< 1.4.201.4.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the @action parameter in cgi/client.py not being sanitized before being included in an error message. The GitHub commit diff shows the fix added cgi.escape(action_name) to the ValueError raised in get_action_class, confirming the lack of escaping was the root cause. The CVE description explicitly references the @action parameter and cgi/client.py, aligning with this function's role in processing actions. Other functions (e.g., in templating.py) were patched for XSS but relate to different CVEs (e.g., CVE-2012-6130).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) vuln*r**ility in `**i/*li*nt.py` in Roun*up ***or* *.*.** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** `@**tion` p*r*m*t*r to `support/issu**`.

Reasoning

T** vuln*r**ility st*ms *rom t** `@**tion` p*r*m*t*r in `**i/*li*nt.py` not **in* s*nitiz** ***or* **in* in*lu*** in *n *rror m*ss***. T** *it*u* *ommit *i** s*ows t** *ix ***** `**i.*s**p*(**tion_n*m*)` to t** `V*lu**rror` r*is** in `**t_**tion_*l*s