Miggo Logo
Miggo Vulnerability Database
CVE-2019-9142

CVE-2019-9142:
Moderate severity vulnerability that affects org.b3log:symphony

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-9142
GHSA ID
GHSA-xgjc-49cw-529m
EPSS Score
0.47285%
CWE
CWE-79
Published
3/6/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.b3log:symphonymaven< 3.4.73.4.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies userIntro and userNickname fields in SettingsProcessor.java as the XSS vectors. In typical Java web applications, profile update handlers (like updateProfile methods) process these user-controlled fields. The lack of sanitization in the processor before storing/rendering these values would directly enable stored XSS. The file path and field names provided in the CVE description give high confidence in targeting this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in **lo* Symp*ony (*k* Sym) ***or* v*.*.*. XSS *xists vi* t** us*rIntro *n* us*rNi*kn*m* *i*l*s to pro**ssor/S*ttin*sPro**ssor.j*v*.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s us*rIntro *n* us*rNi*kn*m* *i*l*s in `S*ttin*sPro**ssor.j*v*` *s t** XSS v**tors. In typi**l J*v* w** *ppli**tions, pro*il* up**t* **n*l*rs (lik* `up**t*Pro*il*` m*t*o*s) `pro**ss` t**s* us*r-*ontro