Miggo Logo

CVE-2020-19000: Cross Site Scripting (XSS) in Simiki

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.61467%
Published
9/1/2021
Updated
10/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
simikipip<= 1.6.2.11.6.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two related issues in template handling: 1) The PageGenerator's HTML generation logic (generate method) passes user-controlled input (like titles) to Jinja2 templates without proper escaping. 2) The root cause is the insecure initialization of the Jinja2 Environment in generators.py (line 54 in vulnerable versions) where autoescaping is disabled by default. This combination allows attackers to inject arbitrary HTML/JS via user-controlled content like page titles. The GitHub issue #123 explicitly identifies the Jinja2 autoescape configuration as the XSS vector, and the CVE description pinpoints generators.py line 54 as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) in Simiki v*.*.*.* *n* prior *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* lin* ** o* t** *ompon*nt 'simiki/*lo*/m*st*r/simiki/**n*r*tors.py'.

Reasoning

T** vuln*r**ility st*ms *rom two r*l*t** issu*s in t*mpl*t* **n*lin*: *) T** P*****n*r*tor's *TML **n*r*tion lo*i* (`**n*r*t*` m*t*o*) p*ss*s us*r-*ontroll** input (lik* titl*s) to `Jinj**` t*mpl*t*s wit*out prop*r *s**pin*. *) T** root **us* is t**