Miggo Logo
Miggo Vulnerability Database
CVE-2020-28470

CVE-2020-28470:
Cross-site Scripting (XSS) in @scullyio/scully

7.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28470
GHSA ID
GHSA-r96p-v3cr-gfv8
EPSS Score
0.52856%
CWE
CWE-79
Published
4/13/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
@scullyio/scullynpm< 1.0.91.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe JSON serialization of transfer state that gets written directly into HTML. Based on Angular transfer state patterns and Scully's architecture:

  1. TransferStateService.serializeTransferState would handle the vulnerable JSON.stringify() call
  2. RenderUtils.injectTransferState would execute the actual unsafe DOM insertion These functions would appear in stack traces when malicious payloads are processed during static page generation. The high confidence comes from the direct match between the vulnerability description (unsafe JSON.stringify usage) and standard Angular transfer state implementation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** @s*ullyio/s*ully ***or* *.*.*. T** tr*ns**r st*t* is s*ri*lis** wit* t** JSON.strin*i*y() *un*tion *n* t**n writt*n into t** *TML p***.

Reasoning

T** vuln*r**ility st*ms *rom uns*** JSON s*ri*liz*tion o* tr*ns**r st*t* t**t **ts writt*n *ir**tly into *TML. **s** on *n*ul*r tr*ns**r st*t* p*tt*rns *n* S*ully's *r**it**tur*: *. Tr*ns**rSt*t*S*rvi**.s*ri*liz*Tr*ns**rSt*t* woul* **n*l* t** vuln*r*