6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2013-4170

GHSA ID

GHSA-5m48-c37x-f792

EPSS Score

0.57817%

CWE

CWE-79

Published

7/1/2022

Updated

8/29/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-4170

CVE-2013-4170: Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if an application assigns a view's tagName to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). This vulnerability only affects applications that assign or bind user-provided content to tagName.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2013-4170

GHSA ID

GHSA-5m48-c37x-f792

EPSS Score

0.57817%

CWE

CWE-79

Published

7/1/2022

Updated

8/29/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ember-source	rubygems	<= 1.0.0.rc1.0	1.0.0.rc1.1
ember-source	rubygems	= 1.0.0.rc2.0	1.0.0.rc2.1
ember-source	rubygems	= 1.0.0.rc3.0	1.0.0.rc3.1
ember-source	rubygems	= 1.0.0.rc4.0	1.0.0.rc4.1
ember-source	rubygems	= 1.0.0.rc5.0	1.0.0.rc5.1
ember-source	rubygems	= 1.0.0.rc6.0	1.0.0.rc6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized use of the tagName property when creating view elements. Ember's View class uses tagName to generate the element via string interpolation in createElement. Since tagName wasn't sanitized in vulnerable versions, user-supplied values could inject malicious attributes (e.g., onerror). The patches likely added sanitization to this specific element creation path. While exact pre-patch code isn't shown, the advisory's description of the attack vector (binding to tagName) and XSS via innerHTML context strongly implicates the element creation function as the vulnerable point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **n*r*l, *m**r.js *s**p*s or strips *ny us*r-suppli** *ont*nt ***or* ins*rtin* it in strin*s t**t will ** s*nt to inn*r*TML. *ow*v*r, t** `t**N*m*` prop*rty o* *n `*m**r.Vi*w` w*s ins*rt** into su** * strin* wit*out **in* s*nitiz**. T*is m**ns t**

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us* o* t** `t**N*m*` prop*rty w**n *r**tin* vi*w *l*m*nts. *m**r's Vi*w *l*ss us*s `t**N*m*` to **n*r*t* t** *l*m*nt vi* strin* int*rpol*tion in `*r**t**l*m*nt`. Sin** `t**N*m*` w*sn't s*nitiz** in vuln*r**l*

6.1

Basic Information

Concerned about an active attack path?

CVE-2013-4170: Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI