6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32860

GHSA ID

GHSA-h685-83w4-3ph3

EPSS Score

0.49043%

CWE

CWE-79

Published

2/21/2023

Updated

2/22/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32860

CVE-2021-32860: iziModal Cross-site Scripting vulnerability

iziModal is a modal plugin with jQuery. Versions prior to 1.6.1 are vulnerable to cross-site scripting (XSS) when handling untrusted modal titles. An attacker who is able to influence the field title when creating a iziModal instance is able to supply arbitrary html or javascript code that will be rendered in the context of a user, potentially leading to XSS. Version 1.6.1 contains a patch for this issue

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32860

GHSA ID

GHSA-h685-83w4-3ph3

EPSS Score

0.49043%

CWE

CWE-79

Published

2/21/2023

Updated

2/22/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
izimodal	npm	< 1.6.1	1.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inserting user-controlled input (title/subtitle/iconText/content) into DOM via .html() without proper sanitization. The commit patched this by introducing a sanitize() function that removes dangerous attributes/patterns, and applied it to all these insertion points. The functions shown in the diff that received sanitize() wrappers were previously vulnerable to XSS through their parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

iziMo**l is * mo**l plu*in wit* jQu*ry. V*rsions prior to *.*.* *r* vuln*r**l* to *ross-sit* s*riptin* (XSS) w**n **n*lin* untrust** mo**l titl*s. *n *tt**k*r w*o is **l* to in*lu*n** t** *i*l* `titl*` w**n *r**tin* * `iziMo**l` inst*n** is **l* to s

Reasoning

T** vuln*r**ility st*ms *rom ins*rtin* us*r-*ontroll** input (titl*/su*titl*/i*onT*xt/*ont*nt) into *OM vi* `.*tml()` wit*out prop*r s*nitiz*tion. T** *ommit p*t**** t*is *y intro*u*in* * `s*nitiz*()` *un*tion t**t r*mov*s **n**rous *ttri*ut*s/p*tt*r

6.1

Basic Information

Concerned about an active attack path?

CVE-2021-32860: iziModal Cross-site Scripting vulnerability

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI