CVE-2021-27940: openark/orchestrator cross-site scripting vulnerability
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61069%
CWE
Published
5/24/2022
Updated
8/3/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/openark/orchestrator | go | < 3.2.4 | 3.2.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsanitized use of the 'orchestrator-msg' parameter in the JavaScript code. The commit diff shows the parameter was previously passed to addInfo()
without encoding, enabling XSS. The fix introduced a sanitizeHTML()
function to encode the parameter, confirming the lack of sanitization in the original code. The vulnerable code resides in the document-ready handler in orchestrator.js
, where user-controlled input is rendered without escaping.