Miggo Logo

CVE-2020-25449:
Cabot Cross Site Scripting (XSS) vulnerability via Address column

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.65953%
Published
5/24/2022
Updated
9/6/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
cabotpip<= 0.11.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The StatusCheck model's endpoint field (mapped to the Address column) lacked input validation via URLValidator, enabling storage of untrusted data. 2) The template deliberately disabled autoescaping for error output, allowing execution of stored scripts. The fix added URL validation and removed the autoescape override, confirming these as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in *r***nys ***ot up to *n* in*lu*in* *.**.** **n ** *xploit** vi* t** ***r*ss *olumn.

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** St*tus****k mo**l's *n*point *i*l* (m*pp** to t** ***r*ss *olumn) l**k** input v*li**tion vi* `URLV*li**tor`, *n**lin* stor*** o* untrust** **t*. *) T** t*mpl*t* **li**r*t*ly *is**l** *uto*s**pin* *