CVE-2021-32660: Script injection
6.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.6352%
CWE
Published
6/4/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@backstage/techdocs-common | npm | < 0.6.4 | 0.6.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key factors:
- The API endpoint handlers (likely in router.ts) serve raw documentation files without applying the same sanitization that the frontend uses.
- The storage service (StaticDocsStorage.ts) directly returns unprocessed content from object storage.
Though explicit code diffs aren't available, the vulnerability pattern matches:
- CWE-434 (dangerous file upload) via direct object storage writes
- CWE-77 (injection) via unsanitized content serving These functions are core to TechDocs' content serving architecture and would be the logical points where sanitization was missing pre-patch, given the described attack vector involving API-origin content delivery bypassing frontend protections.