Miggo Logo
Miggo Vulnerability Database
CVE-2020-7642

CVE-2020-7642:
Cross-site scripting in lazysizes

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7642
GHSA ID
GHSA-hg2p-2cvq-4ppv
EPSS Score
0.56353%
CWE
CWE-79
Published
12/10/2021
Updated
9/5/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
lazysizesnpm<= 5.2.05.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe handling of user-controlled attributes in video embedding functions. The commit diff shows these functions previously lacked input validation using regValidParam before constructing iframe HTML. Attackers could inject arbitrary JavaScript through malicious attribute values that would be directly inserted into innerHTML. The patch adds validation checks for these specific attributes in these functions, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

l*zysiz*s t*rou** *.*.* *llows *x**ution o* m*li*ious J*v*S*ript. T** *ollowin* *ttri*ut*s *r* not s*nitiz** *y t** vi**o-*m*** plu*in: `**t*-vim*o`, `**t*-vim*op*r*ms`, `**t*-youtu**` *n* `**t*-ytp*r*ms` w*i** **n ** **us** to inj**t m*li*ious J*v*S

Reasoning

T** vuln*r**ility st*ms *rom uns*** **n*lin* o* us*r-*ontroll** *ttri*ut*s in vi**o *m****in* *un*tions. T** *ommit *i** s*ows t**s* *un*tions pr*viously l**k** input v*li**tion usin* `r**V*li*P*r*m` ***or* *onstru*tin* `i*r*m*` *TML. *tt**k*rs *oul*