CVE-2021-23673: Cross-site Scripting in pekeupload
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47285%
CWE
Published
12/2/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
pekeupload | npm | <= 2.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The XSS occurs when filenames containing JavaScript are rendered unsafely in the DOM. The Snyk PoC demonstrates this by triggering an alert via an <img onerror> payload in the filename
. The vulnerability pattern matches unsafe DOM manipulation methods like innerHTML
/innerText
without escaping, which would exist in the file-list
rendering logic. While the exact function name
isn't visible without source code, the file upload UI component (pekeUpload.js
) must contain this insecure rendering logic based on the exploit mechanism and references to similar plupload
code.