Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-3783

CVE-2021-3783:
Cross-site Scripting in yourls

6.6

CVSS Score

Basic Information

CVE ID
CVE-2021-3783
GHSA ID
GHSA-cpq8-x35g-m439
EPSS Score
-
CWE
CWE-79
Published
9/20/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
yourls/yourlscomposer<= 1.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized user input in upgrade parameters. The patch adds validation through yourls_sanitize_version() and intval() casts, confirming the previous lack of input sanitization. Both the parameter handling in admin/upgrade.php and the yourls_upgrade function's parameter intake were vulnerable points where user-controlled values could enter the output without proper neutralization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

yourls is vuln*r**l* to Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion ('*ross-sit* S*riptin*') in *r*itr*ry p*t* **n*lin*.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us*r input in up*r*** p*r*m*t*rs. T** p*t** ***s v*li**tion t*rou** yourls_s*nitiz*_v*rsion() *n* intv*l() **sts, *on*irmin* t** pr*vious l**k o* input s*nitiz*tion. *ot* t** p*r*m*t*r **n*lin* in **min/up*r**