Miggo Logo

CVE-2019-16763: Pannellum Cross-Site Scripting due to data not being sanitized for URIs or vbscript

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.70867%
Published
11/22/2019
Updated
1/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pannellumnpm>= 2.5.0, < 2.5.52.5.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient URL sanitization in the sanitizeURL function. The pre-patch version lacked: 1) vbscript: protocol checking, and 2) data URI blocking for href contexts. The commit diff shows these vulnerabilities were addressed by adding 'vbscript:' detection and a new 'href' parameter flag to block data URIs. Multiple call sites (createHotSpot, processOptions) were updated to pass this flag when handling clickable links, confirming these were the vulnerable execution paths. The function's incomplete sanitization directly enabled XSS payload delivery through crafted URLs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `p*nn*llum` prior to *.*.* *r* vuln*r**l* to *ross-Sit* S*riptin* (XSS). T** p**k*** **ils to s*nitiz* URLs *or **t* URIs, w*i** m*y *llow *tt**k*rs to *x**ut* *r*itr*ry *o** in * vi*tim's *rows*r. ## R**omm*n**tion Up*r*** to v*rsion

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt URL s*nitiz*tion in t** `s*nitiz*URL` *un*tion. T** pr*-p*t** v*rsion l**k**: *) v*s*ript: proto*ol ****kin*, *n* *) **t* URI *lo*kin* *or `*r**` *ont*xts. T** *ommit *i** s*ows t**s* vuln*r**iliti*s w*r* ***