Miggo Logo

CVE-2021-41132: Inconsistent input sanitisation leads to XSS vectors

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.75018%
Published
10/14/2021
Updated
10/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
omero-webpip< 5.11.05.11.0
omero-figurepip< 4.4.14.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two primary patterns: 1) Use of jQuery.html() with unsanitized user input in JavaScript files, and 2) Underscore template interpolation using <%= instead of <%- for HTML context. The commit diff shows systematic replacement of unsafe practices: adding .escapeHTML() to JavaScript string injections and switching template interpolators. Vulnerable functions are those that handled user-controlled data (labels, names, textValues) without these sanitization measures in prior versions. High confidence comes from direct correlation between patched locations and XSS vulnerability patterns described in advisories.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### ***k*roun* * v*ri*ty o* t*mpl*t*s *o not p*r*orm prop*r s*nitiz*tion t*rou** *TML *s**pin*. *u* to t** l**k o* s*nitiz*tion *n* us* o* ``jQu*ry.*tml()``, t**r* *r* * w*ol* *ost o* XSS possi*iliti*s wit* sp**i*lly *r**t** input to * v*ri*ty o* *i

Reasoning

T** vuln*r**ility st*ms *rom two prim*ry p*tt*rns: *) Us* o* `jQu*ry.*tml()` wit* uns*nitiz** us*r input in J*v*S*ript *il*s, *n* *) Un**rs*or* t*mpl*t* int*rpol*tion usin* <%= inst*** o* <%- *or *TML *ont*xt. T** *ommit *i** s*ows syst*m*ti* r*pl***