Miggo Logo

CVE-2021-23673: Cross-site Scripting in pekeupload

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.47285%
Published
12/2/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pekeuploadnpm<= 2.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS occurs when filenames containing JavaScript are rendered unsafely in the DOM. The Snyk PoC demonstrates this by triggering an alert via an <img onerror> payload in the filename. The vulnerability pattern matches unsafe DOM manipulation methods like innerHTML/innerText without escaping, which would exist in the file-list rendering logic. While the exact function name isn't visible without source code, the file upload UI component (pekeUpload.js) must contain this insecure rendering logic based on the exploit mechanism and references to similar plupload code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** p*k*uplo**. I* *n *tt**k*r in*u**s * us*r to uplo** * *il* w*os* n*m* *ont*ins j*v*s*ript *o**, t** j*v*s*ript *o** will ** *x**ut**.

Reasoning

T** XSS o**urs w**n *il*n*m*s *ont*inin* J*v*S*ript *r* r*n**r** uns***ly in t** *OM. T** Snyk Po* **monstr*t*s t*is *y tri***rin* *n *l*rt vi* *n <im* on*rror> p*ylo** in t** `*il*n*m*`. T** vuln*r**ility p*tt*rn m*t***s uns*** *OM m*nipul*tion m*t*