Miggo Logo
Miggo Vulnerability Database
CVE-2021-25974

CVE-2021-25974: Cross site scripting in publify

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-25974
GHSA ID
GHSA-wmh9-x28j-c6gr
EPSS Score
0.43188%
CWE
CWE-79
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
publify_corerubygems>= 8.0, < 9.2.59.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from two key issues:

  1. ContentBase#html_postprocess lacked HTML sanitization in vulnerable versions, directly allowing unsafe user input into rendered pages. The patch explicitly adds sanitize call.
  2. nofollowify_links' original gsub implementation didn't properly handle HTML safety contexts and could be bypassed. The patch's scrubber-based approach and html_safe requirement indicate prior unsafe handling. Supporting evidence includes:
  • Multiple view templates removed 'raw' calls (e.g., _article_excerpt.html.erb), indicating prior unsafe HTML output
  • Added spec tests verifying html_safe status
  • CWE-79 alignment with improper input neutralization during web page generation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Pu*li*y, v*rsions v*.* to v*.*.* *r* vuln*r**l* to stor** XSS. * us*r wit* * “pu*lis**r” rol* is **l* to inj**t *n* *x**ut* *r*itr*ry J*v*S*ript *o** w*il* *r**tin* * p***/*rti*l*.

Reasoning

T** *or* vuln*r**ility st*ms *rom two k*y issu*s: *. *ont*nt**s*#*tml_postpro**ss l**k** *TML s*nitiz*tion in vuln*r**l* v*rsions, *ir**tly *llowin* uns*** us*r input into r*n**r** p***s. T** p*t** *xpli*itly ***s s*nitiz* **ll. *. no*ollowi*y_links'