4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23439

GHSA ID

GHSA-97pv-4338-r5vp

EPSS Score

0.60629%

CWE

CWE-79

Published

9/7/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-23439

CVE-2021-23439: Cross-site Scripting in file-upload-with-preview

This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).

(GitHub Advisory)

4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23439

GHSA ID

GHSA-97pv-4338-r5vp

EPSS Score

0.60629%

CWE

CWE-79

Published

9/7/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
file-upload-with-preview	npm	< 4.2.0	4.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper neutralization of file names before DOM insertion. The advisory references line 168 in the source file, which in the patched version (PR #40) shows security-focused changes. The fix involved using textContent instead of innerHTML for filename display, indicating the original implementation directly injected user-controlled filenames into DOM elements without sanitization. This pattern matches classic stored XSS vulnerability patterns where user-controlled input is rendered unsafely.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** *il*-uplo**-wit*-pr*vi*w ***or* *.*.*. * *il* *ont*inin* m*li*ious J*v*S*ript *o** in t** n*m* **n ** uplo**** (* us*r n***s to ** tri*k** into uplo**in* su** * *il*).

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* *il* n*m*s ***or* *OM ins*rtion. T** **visory r***r*n**s lin* *** in t** sour** *il*, w*i** in t** p*t**** v*rsion (PR #**) s*ows s**urity-*o*us** ***n**s. T** *ix involv** usin* `t*xt*ont*nt` i

4.2

Basic Information

Concerned about an active attack path?

CVE-2021-23439: Cross-site Scripting in file-upload-with-preview

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI