Miggo Logo

CVE-2021-27940: openark/orchestrator cross-site scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.61069%
Published
5/24/2022
Updated
8/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/openark/orchestratorgo< 3.2.43.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized use of the 'orchestrator-msg' parameter in the JavaScript code. The commit diff shows the parameter was previously passed to addInfo() without encoding, enabling XSS. The fix introduced a sanitizeHTML() function to encode the parameter, confirming the lack of sanitization in the original code. The vulnerable code resides in the document-ready handler in orchestrator.js, where user-controlled input is rendered without escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

r*sour**s/pu*li*/js/or***str*tor.js in op*n*rk or***str*tor ***or* *.*.* *llows XSS vi* t** or***str*tor-ms* p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us* o* t** 'or***str*tor-ms*' p*r*m*t*r in t** J*v*S*ript *o**. T** *ommit *i** s*ows t** p*r*m*t*r w*s pr*viously p*ss** to `***In*o()` wit*out *n*o*in*, *n**lin* XSS. T** *ix intro*u*** * `s*nitiz**TML()` *u