CVE-2020-28470: Cross-site Scripting (XSS) in @scullyio/scully
7.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.52856%
CWE
Published
4/13/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@scullyio/scully | npm | < 1.0.9 | 1.0.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsafe JSON serialization of transfer state that gets written directly into HTML. Based on Angular transfer state patterns and Scully's architecture:
- TransferStateService.serializeTransferState would handle the vulnerable JSON.stringify() call
- RenderUtils.injectTransferState would execute the actual unsafe DOM insertion These functions would appear in stack traces when malicious payloads are processed during static page generation. The high confidence comes from the direct match between the vulnerability description (unsafe JSON.stringify usage) and standard Angular transfer state implementation patterns.