Miggo Logo

CVE-2020-23849: Cross-site Scripting in jsoneditor

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.49477%
Published
10/12/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
jsoneditornpm< 9.0.29.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in tree mode rendering where user-controlled JSON content is inserted into DOM without proper sanitization. While exact patch details are unavailable, typical XSS patterns in tree viewers involve node rendering functions:

  1. renderNode likely handles content display without escaping
  2. _createTreeNode probably builds DOM elements directly from JSON values Confidence is medium due to lack of direct code references, but aligns with standard XSS patterns in JSON tree viewers and the described attack vector

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Stor** XSS w*s *is*ov*r** in t** tr** mo** o* json**itor ***or* *.*.* t*rou** inj**tin* *n* *x**utin* J*v*S*ript.

Reasoning

T** vuln*r**ility m*ni**sts in tr** mo** r*n**rin* w**r* us*r-*ontroll** JSON *ont*nt is ins*rt** into *OM wit*out prop*r s*nitiz*tion. W*il* *x**t p*t** **t*ils *r* un*v*il**l*, typi**l XSS p*tt*rns in tr** vi*w*rs involv* no** r*n**rin* *un*tions: