CVE-2021-32860: iziModal Cross-site Scripting vulnerability
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.49043%
CWE
Published
2/21/2023
Updated
2/22/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
izimodal | npm | < 1.6.1 | 1.6.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from inserting user-controlled input (title/subtitle/iconText/content) into DOM via .html()
without proper sanitization. The commit patched this by introducing a sanitize()
function that removes dangerous attributes/patterns, and applied it to all these insertion points. The functions shown in the diff that received sanitize()
wrappers were previously vulnerable to XSS through their parameters.