Miggo Logo
Miggo Vulnerability Database
CVE-2018-3747

CVE-2018-3747: Cross-Site Scripting in public

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-3747
GHSA ID
GHSA-8p5p-ff7x-hw7q
EPSS Score
0.50092%
CWE
CWE-79
Published
10/10/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
publicnpm< 0.1.40.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized filename rendering in HTML outputs. While no direct patch code is available, static file servers typically have: 1) A directory listing generator that creates file links (createFileList), and 2) A core HTML response builder (generateHTML). These would be the most probable locations where filenames are embedded without escaping in pre-0.1.4 versions. Confidence is medium due to inference from vulnerability patterns in static file servers, though exact function names might vary.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `pu*li*` prior to *.*.* *r* vuln*r**l* to *ross-Sit* S*riptin* (XSS). T** p**k*** **ils to s*nitiz* *il*n*m*s, *llowin* *tt**k*rs to *x**ut* *r*itr*ry J*v*S*ript in t** vi*tim's *rows*r t*rou** *il*s wit* n*m*s *ont*inin* m*li*ious *o**.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** `*il*n*m*` r*n**rin* in *TML outputs. W*il* no *ir**t p*t** *o** is *v*il**l*, st*ti* *il* s*rv*rs typi**lly **v*: *) * *ir**tory listin* **n*r*tor t**t *r**t*s *il* links (`*r**t**il*List`), *n* *) * *or* *TM