Miggo Logo

CVE-2020-13459: Image Resizer Cross-site Scripting (XSS) in the Bulk Resize action

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.43188%
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
verbb/image-resizercomposer< 2.0.92.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the Bulk Resize action, which is typically handled by a controller in MVC frameworks like Craft CMS. The changelog explicitly mentions fixing XSS in this action, indicating input sanitization was missing in the controller/view layer. Craft CMS plugins commonly use controllers to handle admin actions, and XSS would occur when unsanitized user input (e.g., filenames or parameters) is reflected in admin panels. The lack of escaping in the Bulk Resize interface before v2.0.9 would allow stored XSS via crafted input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** Im*** R*siz*r plu*in ***or* *.*.* *or *r**t *MS. T**r* is stor** XSS in t** *ulk R*siz* **tion.

Reasoning

T** vuln*r**ility *xists in t** *ulk R*siz* **tion, w*i** is typi**lly **n*l** *y * *ontroll*r in MV* *r*m*works lik* *r**t *MS. T** ***n**lo* *xpli*itly m*ntions *ixin* XSS in t*is **tion, in*i**tin* input s*nitiz*tion w*s missin* in t** *ontroll*r/