Miggo Logo
Miggo Vulnerability Database
CVE-2020-22765

CVE-2020-22765: NukeViet Cross-site Scripting via the editor in the News module

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-22765
GHSA ID
GHSA-6j4j-22qg-9ffm
EPSS Score
0.68969%
CWE
CWE-79
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nukeviet/nukevietcomposer= 4.4.04.4.01

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the News module's editor interface. While exact code isn't available, XSS in CMS editors typically occurs in content handling functions that: 1) Accept() HTML input 2) Fail() to properly filter/escape dangerous elements 3) Store() and display content without sanitization. The 'medium' confidence reflects lack of direct code access, but the pattern matches common editor XSS vulnerabilities where WYSIWYG content processing lacks adequate HTML sanitization controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in Nuk*Vi*t *ms *.*.* vi* t** **itor in t** N*ws mo*ul*.

Reasoning

T** vuln*r**ility m*ni**sts in t** N*ws mo*ul*'s **itor int*r****. W*il* *x**t *o** isn't *v*il**l*, XSS in *MS **itors typi**lly o**urs in *ont*nt **n*lin* *un*tions t**t: *) `****pt()` *TML input *) `**il()` to prop*rly *ilt*r/*s**p* **n**rous *l*m