Miggo Logo

CVE-2021-32860: iziModal Cross-site Scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.49043%
Published
2/21/2023
Updated
2/22/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
izimodalnpm< 1.6.11.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from inserting user-controlled input (title/subtitle/iconText/content) into DOM via .html() without proper sanitization. The commit patched this by introducing a sanitize() function that removes dangerous attributes/patterns, and applied it to all these insertion points. The functions shown in the diff that received sanitize() wrappers were previously vulnerable to XSS through their parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

iziMo**l is * mo**l plu*in wit* jQu*ry. V*rsions prior to *.*.* *r* vuln*r**l* to *ross-sit* s*riptin* (XSS) w**n **n*lin* untrust** mo**l titl*s. *n *tt**k*r w*o is **l* to in*lu*n** t** *i*l* `titl*` w**n *r**tin* * `iziMo**l` inst*n** is **l* to s

Reasoning

T** vuln*r**ility st*ms *rom ins*rtin* us*r-*ontroll** input (titl*/su*titl*/i*onT*xt/*ont*nt) into *OM vi* `.*tml()` wit*out prop*r s*nitiz*tion. T** *ommit p*t**** t*is *y intro*u*in* * `s*nitiz*()` *un*tion t**t r*mov*s **n**rous *ttri*ut*s/p*tt*r