Miggo Logo
Miggo Vulnerability Database
CVE-2019-17625

CVE-2019-17625:
Rambox RCE Vulnerability

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-17625
GHSA ID
GHSA-2gc6-2h2g-ph48
EPSS Score
0.89286%
CWE
CWE-78
Published
5/24/2022
Updated
7/18/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Ramboxnpm<= 0.6.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

While exact function names/paths aren't disclosed in available sources, the vulnerability pattern clearly indicates: 1) Input handling functions that store unsanitized user-controlled 'name' values 2) Rendering functions that dangerously output these values as HTML. The combination enables XSS->RCE via Electron's nodeIntegration. The confidence remains high because the attack vector (IMG onerror with exec) fundamentally requires both improper input handling and unsafe rendering to be exploitable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * stor** XSS in R*m*ox *.*.* t**t **n l*** to *o** *x**ution. T** XSS is in t** n*m* *i*l* w*il* ***in*/**itin* * s*rvi**. T** pro*l*m o**urs *u* to in*orr**t s*nitiz*tion o* t** n*m* *i*l* w**n **in* pro**ss** *n* stor**. T*is *llows * us*r

Reasoning

W*il* *x**t `*un*tion` n*m*s/p*t*s *r*n't *is*los** in *v*il**l* sour**s, t** vuln*r**ility p*tt*rn *l**rly in*i**t*s: *) Input **n*lin* `*un*tions` t**t stor* uns*nitiz** us*r-*ontroll** 'n*m*' v*lu*s *) R*n**rin* `*un*tions` t**t **n**rously output