Miggo Logo
Miggo Vulnerability Database
CVE-2020-28847

CVE-2020-28847: Cross site scripting in valine

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28847
GHSA ID
GHSA-6xvq-2gj8-4276
EPSS Score
0.40267%
CWE
CWE-79
Published
4/6/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
valinenpm< 1.4.151.4.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized 'nick' parameter handling in comment submissions. The proof-of-concept shows XSS via the nick field in POST /classes/Comment, indicating the backend comment processing function accepts raw user input without adequate XSS protections. While exact code isn't available, the pattern matches classic stored XSS vulnerabilities where user-controlled input (nick) isn't sanitized before persistence. The fix in v1.4.15 ('fix xss') likely added input sanitization/escaping in this comment handling logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

v*lin* is * **st, simpl* & pow*r*ul *omm*nt syst*m. *ross Sit* S*riptin* (XSS) vuln*r**ility in x*ss V*lin* v*.*.** vi* t** ni*k p*r*m*t*r to /*l*ss*s/*omm*nt. * *ix w*s r*l**s** in v*rsion *.*.**.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** 'ni*k' p*r*m*t*r **n*lin* in *omm*nt su*missions. T** proo*-o*-*on**pt s*ows XSS vi* t** ni*k *i*l* in POST /*l*ss*s/*omm*nt, in*i**tin* t** ***k*n* *omm*nt pro**ssin* *un*tion ****pts r*w us*r input wit*out *