Miggo Logo

CVE-2021-37504: jQuery-Upload-File XSS in fileNameStr

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.70637%
Published
2/26/2022
Updated
4/2/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
jquery-file-uploadnpm<= 4.0.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in filename handling where user-controlled input (file.name) is directly inserted into DOM via .html() without sanitization. The serializeAndUploadFiles function processes file names and passes them to progress dialogs using .html(), while defaultProgressBar's filename element creation uses unsafe HTML injection. Both patterns violate XSS protection principles by failing to escape user-controlled content in HTML contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* s*riptin* (XSS) vuln*r**ility in t** *il*N*m*Str p*r*m*t*r o* jQu*ry-Uplo**-*il* v*.*.** *llows *tt**k*rs to *x**ut* *r*itr*ry w** s*ripts or *TML vi* * *r**t** *il* wit* * J*v*s*ript p*ylo** in t** *il* n*m*.

Reasoning

T** vuln*r**ility o**urs in *il*n*m* **n*lin* w**r* us*r-*ontroll** input (*il*.n*m*) is *ir**tly ins*rt** into *OM vi* `.*tml()` wit*out s*nitiz*tion. T** `s*ri*liz**n*Uplo***il*s` *un*tion pro**ss*s *il* n*m*s *n* p*ss*s t**m to pro*r*ss *i*lo*s us