Miggo Logo

CVE-2016-1000231: Cross-Site Scripting in emojione

N/A

CVSS Score

Basic Information

EPSS Score
-
Published
9/1/2020
Updated
3/28/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
vuln_not_found
Package NameEcosystemVulnerable VersionsFirst Patched Version
emojionenpm<= 1.3.01.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly names these four functions as vulnerable entry points. The commit 613079b titled 'Revised escaping functions' in emojione.js indicates the fix involved adding proper sanitization. These functions handle user-controlled emoji conversions to HTML elements, and without input sanitization, could allow script injection. Though we can't view the exact diff, the advisory's specific function list and commit context provide high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `*mojion*` *r* vuln*r**l* to *ross-sit* s*riptin* w**n us*r input is p*ss** into t** `toS*ort()`, `s*ortn*m*ToIm***()`, `uni*o**ToIm***()`, *n* `toIm***()` *un*tions. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly n*m*s t**s* *our *un*tions *s vuln*r**l* *ntry points. T** *ommit ******* titl** 'R*vis** *s**pin* *un*tions' in `*mojion*.js` in*i**t*s t** *ix involv** ***in* prop*r s*nitiz*tion. T**s* *un*tions **n*l* us