Miggo Logo
Miggo Vulnerability Database
CVE-2021-33041

CVE-2021-33041: Cross-site Scripting in vmd

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-33041
GHSA ID
GHSA-pfr3-87q3-65rc
EPSS Score
0.57376%
CWE
CWE-79
Published
2/10/2022
Updated
9/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
vmdnpm<= 1.34.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized HTML injection in the markdown rendering process. Key evidence includes:

  1. The PoC demonstrates XSS via <img> and <a> tags with event handlers executing Node.js code
  2. Electron's nodeIntegration likely enabled, allowing renderer process access to require('child_process')
  3. The 'markdown-body' div is explicitly called out as the injection point
  4. Lack of sanitization matches the CWE-79 XSS pattern While the exact function name isn't specified in available data, the rendering mechanism's insecure implementation is clearly the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

vm* t*rou** *.**.* *llows `*iv *l*ss="m*rk*own-*o*y"` XSS, *s **monstr*t** *y *l**tron r*mot* *o** *x**ution vi* `r*quir*('**il*_pro**ss').*x**Syn*('**l*.*x*')` on Win*ows *n* * simil*r *tt**k on m**OS.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** *TML inj**tion in t** m*rk*own r*n**rin* pro**ss. K*y *vi**n** in*lu**s: *. T** Po* **monstr*t*s XSS vi* <im*> *n* <*> t**s wit* *v*nt **n*l*rs *x**utin* No**.js *o** *. *l**tron's `no**Int**r*tion` lik*ly *n*