Miggo Logo
Miggo Vulnerability Database
CVE-2021-36686

CVE-2021-36686: Cross-site Scripting in yapi-vendor

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-36686
GHSA ID
GHSA-4jqw-vfmj-9rmh
EPSS Score
0.50567%
CWE
CWE-79
Published
1/26/2023
Updated
3/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
yapi-vendornpm<= 1.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points:

  1. The backend API handler for the interface edit endpoint (likely in a controller file) fails to sanitize user input in the 'remarks' field before storage, as evidenced by the stored XSS payloads persisting after saving.
  2. The markdown rendering utility (used in both preview and display modes) fails to sanitize HTML output, allowing execution of injected scripts. This is confirmed by payloads triggering XSS in both write/preview modes (Issue #2240) and when viewed by other users (Issue #2190). These functions are implicated with high confidence because:
  • The attack vector explicitly targets the interface edit page's remark field
  • The payloads require both storage (backend) and unsafe rendering (frontend/utility)
  • The CWE-79 classification directly maps to these unsanitized input handling points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in y*pi *.*.* *llows *tt**k*rs to *x**ut* *r*itr*ry *o** vi* t** /int*r****/*pi **it p***.

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *. T** ***k*n* *PI **n*l*r *or t** int*r**** **it *n*point (lik*ly in * *ontroll*r *il*) **ils to s*nitiz* us*r input in t** 'r*m*rks' *i*l* ***or* stor***, *s *vi**n*** *y t** stor** XSS p*ylo**s p*rsisti