Miggo Logo

CVE-2021-32737: XSS Injection in Media Collection Title was possible

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.57477%
Published
7/2/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
sulu/sulucomposer< 1.6.411.6.41

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves XSS in collection titles executed client-side. The workaround mentions patching JS files, indicating the flaw exists in frontend rendering logic. The most probable cause is unsafe DOM manipulation (e.g., using innerHTML) when displaying collection titles. While exact function names aren't visible in provided resources, the pattern matches common XSS vectors in JavaScript view components handling unescaped user-controlled data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * lo**** in **min us*r w*s possi*l* to *** * s*ript inj**tion (XSS) in t** *oll**tion titl* w*i** w*s *x**ut**. ### Work*roun*s M*nu*l p*t**in* t** js *il*s. ### *or mor* in*orm*tion I* you **v* *ny qu*stions or *omm*nts **out t*is **

Reasoning

T** vuln*r**ility involv*s XSS in *oll**tion titl*s *x**ut** *li*nt-si**. T** work*roun* m*ntions p*t**in* `JS` *il*s, in*i**tin* t** *l*w *xists in *ront*n* r*n**rin* lo*i*. T** most pro***l* **us* is uns*** *OM m*nipul*tion (*.*., usin* `inn*r*TML`