Miggo Logo
Miggo Vulnerability Database
CVE-2021-40289

CVE-2021-40289: mm-wiki is vulnerable to Cross-Site Scripting (XSS)

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-40289
GHSA ID
GHSA-99g5-5643-xphp
EPSS Score
0.33231%
CWE
CWE-79
Published
11/10/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/phachon/mm-wikigo<= 0.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS vulnerability occurs in the space creation functionality where user-supplied 'tags' parameter input is not sanitized before storage. The endpoint /system/space/save is implicated in the vulnerability report, and in typical Go web application structure, this would map to a controller handler function responsible for processing form submissions. While exact code isn't available, the pattern suggests the Save handler in the space controller processes raw user input without adequate HTML escaping or validation, particularly for the 'tags' field. Confidence is medium due to reliance on endpoint mapping and vulnerability reproduction steps rather than direct code analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mm-wki v*.*.* is vuln*r**l* to *ross Sit* S*riptin* (XSS).

Reasoning

T** XSS vuln*r**ility o**urs in t** sp*** *r**tion *un*tion*lity w**r* us*r-suppli** 't**s' p*r*m*t*r input is not s*nitiz** ***or* stor***. T** *n*point `/syst*m/sp***/s*v*` is impli**t** in t** vuln*r**ility r*port, *n* in typi**l *o w** *ppli**tio