Miggo Logo
Miggo Vulnerability Database
CVE-2021-25975

CVE-2021-25975: Cross site scripting in publify

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-25975
GHSA ID
GHSA-3h7v-wqw7-ff28
EPSS Score
0.43188%
CWE
CWE-79
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
publify_corerubygems>= 8.0, < 9.2.59.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from insufficient file type validation in the ResourceUploader. The patch added a content_type_allowlist to restrict uploads, and the commit message explicitly states this was to prevent HTML uploads. The vulnerable version lacked this allowlist, relying only on check_image_content_type! which was insufficient as it only handled image validation. The tests added in resources_controller_spec.rb confirm the attack vector involved HTML file uploads through this uploader.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In pu*li*y, v*rsions v*.* to v*.*.* *r* vuln*r**l* to stor** XSS *s * r*sult o* *n unr*stri*t** *il* uplo**. T*is issu* *llows * us*r wit* “pu*lis**r” rol* to inj**t m*li*ious J*v*S*ript vi* t** uplo**** *tml *il*.

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt *il* typ* v*li**tion in t** R*sour**Uplo***r. T** p*t** ***** * *ont*nt_typ*_*llowlist to r*stri*t uplo**s, *n* t** *ommit m*ss*** *xpli*itly st*t*s t*is w*s to pr*v*nt *TML uplo**s. T** vuln*r**l* v*rsion