Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-32850

CVE-2021-32850:
@claviska/jquery-minicolors vulnerable to Cross-site Scripting

6.1

CVSS Score

Basic Information

CVE ID
CVE-2021-32850
GHSA ID
GHSA-crh5-vv2v-c82q
EPSS Score
-
CWE
CWE-79
Published
2/21/2023
Updated
6/12/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@claviska/jquery-minicolorsnpm< 2.3.62.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe HTML construction in swatch creation. The pre-patch code used string concatenation with $('<li...title="' + name + '">') which allowed HTML injection. The fix moved to .attr('title', name) which properly handles escaping. This code was part of the swatch initialization process when handling user-provided color names, making this the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

jQu*ry Mini*olors is * *olor pi*k*r *uilt on jQu*ry. Prior to v*rsion *.*.*, jQu*ry Mini*olors is pron* to *ross-sit* s*riptin* w**n **n*lin* untrust** *olor n*m*s. T*is issu* is p*t**** in v*rsion *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom uns*** *TML *onstru*tion in sw*t** *r**tion. T** pr*-p*t** *o** us** strin* *on**t*n*tion wit* $('<li...titl*="' + n*m* + '">') w*i** *llow** *TML inj**tion. T** *ix mov** to .*ttr('titl*', n*m*) w*i** prop*rly **n*l*s *s