-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from improper sanitization in the federation mappings UI. Commit diffs show the removal of 'safestring.mark_safe()' in the get_rules_as_json function, which previously marked user-controlled JSON data as safe for HTML rendering. This lack of escaping enabled stored XSS when malicious rules were displayed. The direct correlation between the fix and the CWE-79 classification confirms this function's role in the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| horizon | pip | >= 9.0, < 9.1.2 | 9.1.2 |
| horizon | pip | >= 10.0, < 10.0.3 | 10.0.3 |
| horizon | pip | >= 11.0.0, < 11.0.1 | 11.0.1 |