Miggo Logo

CVE-2021-32660: Script injection

6.8

CVSS Score
3.1

Basic Information

EPSS Score
0.6352%
Published
6/4/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@backstage/techdocs-commonnpm< 0.6.40.6.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key factors:

  1. The API endpoint handlers (likely in router.ts) serve raw documentation files without applying the same sanitization that the frontend uses.
  2. The storage service (StaticDocsStorage.ts) directly returns unprocessed content from object storage.

Though explicit code diffs aren't available, the vulnerability pattern matches:

  • CWE-434 (dangerous file upload) via direct object storage writes
  • CWE-77 (injection) via unsanitized content serving These functions are core to TechDocs' content serving architecture and would be the logical points where sanitization was missing pre-patch, given the described attack vector involving API-origin content delivery bypassing frontend protections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * m*li*ious int*rn*l **tor is **l* to uplo** *o*um*nt*tion *ont*nt wit* m*li*ious s*ripts. T**s* s*ripts woul* norm*lly ** s*nitiz** *y t** T****o*s *ront*n*, *ut *y tri*kin* * us*r to visit t** *ont*nt vi* t** T****o*s *PI, t** *ont*nt s

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***tors: *. T** *PI *n*point **n*l*rs (lik*ly in rout*r.ts) s*rv* r*w *o*um*nt*tion *il*s wit*out *pplyin* t** s*m* s*nitiz*tion t**t t** *ront*n* us*s. *. T** stor*** s*rvi** (St*ti**o*sStor***.ts) *ir**tly r*tur