Miggo Logo
Miggo Vulnerability Database
CVE-2021-33040

CVE-2021-33040: Cross-site Scripting in epubjs

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-33040
GHSA ID
GHSA-c6rp-xvqv-mwmf
EPSS Score
0.52153%
CWE
CWE-79
Published
1/21/2022
Updated
9/21/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
epubjsnpm< 0.3.890.3.89

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key factors:

  1. The iframe creation in IframeView.create() lacked critical sandbox attributes (added in the patched commit ab4dd46), which would normally restrict script execution.
  2. The content loading mechanism in IframeView.load() directly writes unsanitized content into the iframe document. The combination of these factors allows attacker-controlled EPUB content to execute scripts in the host page context. The patch explicitly adds sandbox='allow-same-origin' to the iframe and documents scripted content handling, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

m*n***rs/vi*ws/i*r*m*.js in *utur*Pr*ss *Pu*.js ***or* *.*.** *llows XSS.

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***tors: *. T** i*r*m* *r**tion in I*r*m*Vi*w.*r**t*() l**k** *riti**l s*n**ox *ttri*ut*s (***** in t** p*t**** *ommit *******), w*i** woul* norm*lly r*stri*t s*ript *x**ution. *. T** *ont*nt lo**in* m****nism in