Miggo Logo

CVE-2021-3977: invoiceninja is vulnerable to Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.48093%
Published
1/6/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
hillelcoren/invoice-ninjacomposer< 5.3.355.3.35

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of 'company_key' in the password reset flow. The original code used session-stored 'company_key' to set the database context, which could be manipulated via session poisoning or other means. If this value was later reflected in web output without sanitization (e.g., in error messages or hidden form fields), it created an XSS vector. The patch in commit 1186eaa modified the code to use request input directly while removing session dependency, indicating the original implementation lacked proper input validation and output encoding for this parameter.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

invoi**ninj* is vuln*r**l* to Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion ('*ross-sit* S*riptin*')

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* '*omp*ny_k*y' in t** p*sswor* r*s*t *low. T** ori*in*l *o** us** s*ssion-stor** '*omp*ny_k*y' to s*t t** **t***s* *ont*xt, w*i** *oul* ** m*nipul*t** vi* s*ssion poisonin* or ot**r m**ns. I* t*is v*lu