6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-3427

GHSA ID

GHSA-5c8p-qhch-qhx6

EPSS Score

0.6321%

CWE

CWE-79

Published

8/27/2022

Updated

9/16/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-3427

CVE-2021-3427: Deluge Web-UI vulnerable to XSS through a crafted torrent file

The Deluge Web-UI is vulnerable to cross-site scripting through a crafted torrent file. The the data from torrent files is not properly sanitised as it's interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context of the user's browser session.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-3427

CVE-2021-3427:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-3427

GHSA ID

GHSA-5c8p-qhch-qhx6

EPSS Score

0.6321%

CWE

CWE-79

Published

8/27/2022

Updated

9/16/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
deluge	pip	>= 0, < 2.1.0	2.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized torrent metadata being rendered as HTML. The Web UI's JSON API (json_api.py) and template rendering components (torrenthandler.py) are primary candidates based on: 1) The vulnerability manifests in Web UI torrent display 2) Ticket #3459 references Tornado template rendering issues 3) Common XSS patterns in web applications involve improper output encoding in data presentation layers. While exact line numbers aren't available from provided sources, the component structure and vulnerability pattern strongly implicate these core data presentation functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-3427: Deluge Web-UI vulnerable to XSS through a crafted torrent file

CVE-2021-3427:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.1

6.1

CVE-2021-3427: Deluge Web-UI vulnerable to XSS through a crafted torrent file

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI