6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32660

GHSA ID

GHSA-pwhf-39xg-4rxw

EPSS Score

0.6352%

CWE

CWE-77

Published

6/4/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32660

CVE-2021-32660: Script injection

Impact

A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is hosted on the same origin as the Backstage app or other backend plugins, this may give access to sensitive data.

The ability to upload malicious content may be limited by internal code review processes, unless the chosen TechDocs deployment method is to use an object store and the actor has access to upload files directly to that store.

Patches

The vulnerability is patched in the 0.6.4 release of @backstage/techdocs-common.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our chat, linked to in Backstage README

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32660

GHSA ID

GHSA-pwhf-39xg-4rxw

EPSS Score

0.6352%

CWE

CWE-77

Published

6/4/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@backstage/techdocs-common	npm	< 0.6.4	0.6.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key factors:

The API endpoint handlers (likely in router.ts) serve raw documentation files without applying the same sanitization that the frontend uses.
The storage service (StaticDocsStorage.ts) directly returns unprocessed content from object storage.

Though explicit code diffs aren't available, the vulnerability pattern matches:

CWE-434 (dangerous file upload) via direct object storage writes
CWE-77 (injection) via unsanitized content serving These functions are core to TechDocs' content serving architecture and would be the logical points where sanitization was missing pre-patch, given the described attack vector involving API-origin content delivery bypassing frontend protections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * m*li*ious int*rn*l **tor is **l* to uplo** *o*um*nt*tion *ont*nt wit* m*li*ious s*ripts. T**s* s*ripts woul* norm*lly ** s*nitiz** *y t** T****o*s *ront*n*, *ut *y tri*kin* * us*r to visit t** *ont*nt vi* t** T****o*s *PI, t** *ont*nt s

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***tors: *. T** *PI *n*point **n*l*rs (lik*ly in rout*r.ts) s*rv* r*w *o*um*nt*tion *il*s wit*out *pplyin* t** s*m* s*nitiz*tion t**t t** *ront*n* us*s. *. T** stor*** s*rvi** (St*ti**o*sStor***.ts) *ir**tly r*tur

6.8

Basic Information

Concerned about an active attack path?

CVE-2021-32660: Script injection

Impact

Patches

For more information

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI