Miggo Logo
Miggo Vulnerability Database
CVE-2021-3863

CVE-2021-3863:
Cross-site Scripting in snipe-it

5.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2021-3863
GHSA ID
GHSA-5rg2-6qr5-2xp8
EPSS Score
0.46911%
CWE
CWE-79
Published
10/21/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
snipe/snipe-itcomposer< 5.3.05.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of SVG file inputs during upload processing. All three controller methods handled file uploads by directly storing file contents without SVG-specific sanitization. The patch introduced SVG sanitization using enshrined/svgSanitize, indicating these functions previously lacked proper input validation. The XSS risk occurs when browsers render malicious SVG scripts stored through these endpoints. The affected code paths are clearly shown in the pre-patch diffs where SVG handling lacked sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

snip*-it is vuln*r**l* to Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion ('*ross-sit* S*riptin*')

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* SV* *il* inputs *urin* uplo** pro**ssin*. *ll t*r** *ontroll*r m*t*o*s **n*l** *il* uplo**s *y *ir**tly storin* *il* *ont*nts wit*out SV*-sp**i*i* s*nitiz*tion. T** p*t** intro*u*** SV* s*nitiz*