6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-15025

GHSA ID

GHSA-f8hv-rx9p-f9r4

EPSS Score

0.22576%

CWE

CWE-79

Published

2/20/2023

Updated

3/2/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-15025

CVE-2016-15025: generator-hottowel Cross-site Scripting vulnerability

A vulnerability, which was classified as problematic, was found in generator-hottowel 0.0.11. Affected is an unknown function of the file app/templates/src/server/_app.js of the component 404 Error Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is c17092fd4103143a9ddab93c8983ace8bf174396. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-221484.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-15025

GHSA ID

GHSA-f8hv-rx9p-f9r4

EPSS Score

0.22576%

CWE

CWE-79

Published

2/20/2023

Updated

3/2/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
generator-hottowel	npm	< 0.5.0	0.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing middleware handlers for asset paths (/js/, /images/, /styles/*) in app/templates/src/server/_app.js. In the vulnerable version, requests to these paths fell through to Express.js' default 404 handler, which reflected unsanitized user input in error responses. The application's own four0four.send404 handler (which mitigates XSS) was not invoked for these routes. While the root cause is the absence of specific middleware functions, no existing functions in the application code were directly vulnerable with high confidence - the vulnerability manifested due to the lack of proper routing configuration rather than flawed code in existing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in **n*r*tor-*ottow*l *.*.**. *****t** is *n unknown *un*tion o* t** *il* *pp/t*mpl*t*s/sr*/s*rv*r/_*pp.js o* t** *ompon*nt *** *rror **n*l*r. T** m*nipul*tion l***s to *ross sit* s*ript

Reasoning

T** vuln*r**ility st*ms *rom missin* mi**l*w*r* **n*l*rs *or *ss*t p*t*s (/js/*, /im***s/*, /styl*s/*) in *pp/t*mpl*t*s/sr*/s*rv*r/_*pp.js. In t** vuln*r**l* v*rsion, r*qu*sts to t**s* p*t*s **ll t*rou** to *xpr*ss.js' ****ult *** **n*l*r, w*i** r**l

6.1

Basic Information

Concerned about an active attack path?

CVE-2016-15025: generator-hottowel Cross-site Scripting vulnerability

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI