6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-19698

GHSA ID

GHSA-5p84-mmh9-pxgr

EPSS Score

0.44408%

CWE

CWE-79

Published

4/4/2023

Updated

4/7/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-19698

CVE-2020-19698: Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the editor parameter.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-19698

GHSA ID

GHSA-5p84-mmh9-pxgr

EPSS Score

0.44408%

CWE

CWE-79

Published

4/4/2023

Updated

4/7/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
editor.md	npm	<= 1.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input sanitization in HTML processing. The pull request #860 specifically modifies the filterHTML function's regex patterns to address self-closing tags and event handler attributes. Multiple GitHub issues (#700, #715, etc.) demonstrate that malicious scripts/attributes persisted through the original filtering logic. The function's responsibility for HTML sanitization and the direct correlation between its regex shortcomings and the XSS payloads described in PoCs confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* vuln*r**ility *oun* in P*n**o **itor.m* v.*.*.* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* * *r**t** s*ript to t** `**itor` p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input s*nitiz*tion in *TML pro**ssin*. T** pull r*qu*st #*** sp**i*i**lly mo*i*i*s t** `*ilt*r*TML` *un*tion's r***x p*tt*rns to ***r*ss s*l*-*losin* t**s *n* *v*nt **n*l*r *ttri*ut*s. Multipl* *it*u* issu*s (#**

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-19698: Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI