Miggo Logo

CVE-2012-6133: Multiple cross-site scripting (XSS) vulnerabilities in Roundup

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.64113%
Published
4/23/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rounduppip< 1.4.201.4.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of @ok_message/@error_message parameters. The PyPI 1.4.20 release notes explicitly mention fixing XSS in message handling by disallowing HTML tags. The associated issue2550724 shows the clean_message function was the focal point of security changes, transitioning from whitelisted tag allowance to full escaping. This function would appear in stack traces when processing user-supplied messages for web output.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s in Roun*up ***or* *.*.** *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** (*) @ok_m*ss*** or (*) @*rror_m*ss*** p*r*m*t*r to issu**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* @ok_m*ss***/@*rror_m*ss*** p*r*m*t*rs. T** PyPI *.*.** r*l**s* not*s *xpli*itly m*ntion *ixin* XSS in m*ss*** **n*lin* *y *is*llowin* *TML t**s. T** *sso*i*t** issu******** s*ows t** *l**n_m*ss*