Miggo Logo

CVE-2019-10260: Moderate severity vulnerability that affects total.js

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.47285%
Published
4/2/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
total.jsnpm<= 3.3.0-123.3.0-13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two unescaped output locations: 1) In ui.js's grid component, the column.format-derived value was rendered without escaping (fixed by adding Thelpers.encode()). 2) In index.html's notification template, item.message was inserted raw (fixed by adding Thelpers.encode()). Both locations directly inject user-influenced content into the DOM without sanitization, matching classic XSS patterns. The commits explicitly show encoding being added to these exact locations, confirming their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Tot*l.js *MS **.*.* **s XSS r*l*t** to t**m*s/**min/vi*ws/in**x.*tml (it*m.m*ss***) *n* t**m*s/**min/pu*li*/ui.js (*olumn.*orm*t).

Reasoning

T** vuln*r**ility st*ms *rom two un*s**p** output lo**tions: *) In `ui.js`'s *ri* *ompon*nt, t** `*olumn.*orm*t`-**riv** v*lu* w*s r*n**r** wit*out *s**pin* (*ix** *y ***in* `T**lp*rs.*n*o**()`). *) In `in**x.*tml`'s noti*i**tion t*mpl*t*, `it*m.m*ss