Miggo Logo

CVE-2021-32855: Vditor Cross-site Scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.60016%
Published
2/21/2023
Updated
2/22/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
vditornpm< 3.8.73.8.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized HTML being processed during paste operations. The patch adds Lute.Sanitize() call to the paste handler in fixBrowserBehavior.ts, indicating this was the missing security check. The function processes() clipboard data without proper sanitization in vulnerable versions, making it the entry point for XSS payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*itor is * *rows*r-si** M*rk*own **itor. V*rsions prior to *.*.* *r* vuln*r**l* to *opy-p*st* *ross-sit* s*riptin* (XSS). *or t*is p*rti*ul*r typ* o* XSS, t** vi*tim n***s to ** *ool** into *opyin* * m*li*ious p*ylo** into t** t*xt **itor. V*rsion *

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** *TML **in* pro**ss** *urin* p*st* op*r*tions. T** p*t** ***s `Lut*.S*nitiz*()` **ll to t** p*st* **n*l*r in `*ix*rows*r****vior.ts`, in*i**tin* t*is w*s t** missin* s**urity ****k. T** *un*tion `pro**ss*s()` *