Miggo Logo
Miggo Vulnerability Database
CVE-2021-3427

CVE-2021-3427: Deluge Web-UI vulnerable to XSS through a crafted torrent file

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3427
GHSA ID
GHSA-5c8p-qhch-qhx6
EPSS Score
0.6321%
CWE
CWE-79
Published
8/27/2022
Updated
9/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
delugepip>= 0, < 2.1.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized torrent metadata being rendered as HTML. The Web UI's JSON API (json_api.py) and template rendering components (torrenthandler.py) are primary candidates based on: 1) The vulnerability manifests in Web UI torrent display 2) Ticket #3459 references Tornado template rendering issues 3) Common XSS patterns in web applications involve improper output encoding in data presentation layers. While exact line numbers aren't available from provided sources, the component structure and vulnerability pattern strongly implicate these core data presentation functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **lu** W**-UI is vuln*r**l* to *ross-sit* s*riptin* t*rou** * *r**t** torr*nt *il*. T** t** **t* *rom torr*nt *il*s is not prop*rly s*nitis** *s it's int*rpr*t** *ir**tly *s *TML. Som*on* w*o suppli*s t** us*r wit* * m*li*ious torr*nt *il* **n *x

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** torr*nt m*t***t* **in* r*n**r** *s *TML. T** W** UI's JSON *PI (`json_*pi.py`) *n* t*mpl*t* r*n**rin* *ompon*nts (`torr*nt**n*l*r.py`) *r* prim*ry **n*i**t*s **s** on: *) T** vuln*r**ility m*ni**sts in W** UI