Miggo Logo

CVE-2018-3771: statics-server Cross-site Scripting vulnerability

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.59096%
Published
5/13/2022
Updated
5/2/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
statics-servernpm<= 0.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in the directory listing generation code where user-controlled input (filenames) is directly interpolated into HTML without proper escaping. The code builds <a> tags using template literals with ${v} in both href attribute and link text. Since filenames can contain HTML metacharacters, this allows XSS payloads to be injected. The HackerOne report explicitly identifies this unescaped use of variable v as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XSS in st*ti*s-s*rv*r <= *.*.* **n ** us** vi* inj**t** i*r*m* in t** *il*n*m* w**n st*ti*s-s*rv*r *ispl*ys *ir**tory in**x in t** *rows*r. St*ti*s-s*rv*r *o*s not impl*m*nt *ny *TML *s**pin* w**n *ispl*ys *ir**tory in**x in t** *rows*r. V*ri**l*

Reasoning

T** vuln*r**ility o**urs in t** *ir**tory listin* **n*r*tion *o** w**r* us*r-*ontroll** input (*il*n*m*s) is *ir**tly int*rpol*t** into *TML wit*out prop*r *s**pin*. T** *o** *uil*s <*> t**s usin* t*mpl*t* lit*r*ls wit* ${v} in *ot* *r** *ttri*ut* *n