Miggo Logo

CVE-2018-7261: radiant vulnerable to Cross-site Scripting

5.4

CVSS Score
3.0

Basic Information

EPSS Score
0.41847%
Published
7/27/2018
Updated
1/26/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
radiantrubygems= 1.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized user input in Personal Preferences and Configuration modules. In Rails applications, controller actions (e.g., update) directly handle form parameters. The absence of input sanitization in these controllers (UsersController, ConfigurationController) and model save operations allows XSS payloads to persist. Page Parts/Fields are explicitly listed as affected components, implying their persistence logic lacks sanitization. Confidence is high for controllers due to direct parameter handling, and medium for models due to inferred storage logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* *r* multipl* P*rsist*nt XSS vuln*r**iliti*s in R**i*nt *MS *.*.*. T**y *****t P*rson*l Pr***r*n**s (N*m* *n* Us*rn*m*) *n* *on*i*ur*tion (Sit* Titl*, **v Sit* *om*in, P*** P*rts, *n* P*** *i*l*s).

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us*r input in P*rson*l Pr***r*n**s *n* *on*i*ur*tion mo*ul*s. In R*ils *ppli**tions, *ontroll*r **tions (*.*., `up**t*`) *ir**tly **n*l* *orm p*r*m*t*rs. T** **s*n** o* input s*nitiz*tion in t**s* *ontroll*rs