Miggo Logo

CVE-2021-33040: Cross-site Scripting in epubjs

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.52153%
Published
1/21/2022
Updated
9/21/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
epubjsnpm< 0.3.890.3.89

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key factors:

  1. The iframe creation in IframeView.create() lacked critical sandbox attributes (added in the patched commit ab4dd46), which would normally restrict script execution.
  2. The content loading mechanism in IframeView.load() directly writes unsanitized content into the iframe document. The combination of these factors allows attacker-controlled EPUB content to execute scripts in the host page context. The patch explicitly adds sandbox='allow-same-origin' to the iframe and documents scripted content handling, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

m*n***rs/vi*ws/i*r*m*.js in *utur*Pr*ss *Pu*.js ***or* *.*.** *llows XSS.

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***tors: *. T** i*r*m* *r**tion in I*r*m*Vi*w.*r**t*() l**k** *riti**l s*n**ox *ttri*ut*s (***** in t** p*t**** *ommit *******), w*i** woul* norm*lly r*stri*t s*ript *x**ution. *. T** *ont*nt lo**in* m****nism in