Miggo Logo

CVE-2020-19698: Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.44408%
Published
4/4/2023
Updated
4/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
editor.mdnpm<= 1.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input sanitization in HTML processing. The pull request #860 specifically modifies the filterHTML function's regex patterns to address self-closing tags and event handler attributes. Multiple GitHub issues (#700, #715, etc.) demonstrate that malicious scripts/attributes persisted through the original filtering logic. The function's responsibility for HTML sanitization and the direct correlation between its regex shortcomings and the XSS payloads described in PoCs confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* vuln*r**ility *oun* in P*n**o **itor.m* v.*.*.* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* * *r**t** s*ript to t** `**itor` p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input s*nitiz*tion in *TML pro**ssin*. T** pull r*qu*st #*** sp**i*i**lly mo*i*i*s t** `*ilt*r*TML` *un*tion's r***x p*tt*rns to ***r*ss s*l*-*losin* t**s *n* *v*nt **n*l*r *ttri*ut*s. Multipl* *it*u* issu*s (#**