Miggo Logo

CVE-2020-26249: Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability

7.7

CVSS Score
3.1

Basic Information

EPSS Score
0.60769%
Published
12/8/2020
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
red-dashboardpip<= 0.1.6a0.1.7a

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key patterns:

  1. In dashboard.html, pre-patch code used ${g.name} and ${g.owner} in template literals to directly populate HTML elements. This allowed injection of arbitrary HTML/JS via malicious Discord server names or usernames.
  2. In guild.html, pre-patch code inserted unescaped rule.name values into <code> elements. The patches introduced HTML escaping (via safe() function) and jQuery's .text() method to properly sanitize output. Both patterns demonstrate classic DOM-based XSS vulnerabilities where user-controlled input was rendered without proper contextual escaping, enabling code execution in the dashboard's privileged environment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * R** *xploit **s ***n *is*ov*r** in t** R** *is*or* *ot - **s**o*r* W**s*rv*r: t*is *xploit *llows *is*or* us*rs wit* sp**i*lly *r**t** S*rv*r n*m*s *n* Us*rn*m*s/Ni*kn*m*s to inj**t *o** into t** w**s*rv*r *ront-*n* *o**. *y **usin* t*i

Reasoning

T** vuln*r**ility st*ms *rom two k*y p*tt*rns: *. In **s**o*r*.*tml, pr*-p*t** *o** us** `${*.n*m*}` *n* `${*.own*r}` in t*mpl*t* lit*r*ls to *ir**tly popul*t* *TML *l*m*nts. T*is *llow** inj**tion o* *r*itr*ry *TML/JS vi* m*li*ious *is*or* s*rv*r n*