Miggo Logo

CVE-2021-41467:
Cross-site scripting in application/controllers/dropbox.php in JustWriting

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.9408%
Published
10/4/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
hjue/justwritingcomposer<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from line 36 of dropbox.php where the challenge parameter is directly echoed without sanitization. This matches the classic reflected XSS pattern where user-controlled input (URL parameter) is reflected in output without proper encoding. The GitHub issue #106 explicitly shows the vulnerable code snippet: echo $_GET['challenge']; exit;, confirming improper neutralization of web output.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in *ppli**tion/*ontroll*rs/*rop*ox.p*p in JustWritin* *.*.* *n* **low *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** ***ll*n** p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom lin* ** o* *rop*ox.p*p w**r* t** ***ll*n** p*r*m*t*r is *ir**tly ***o** wit*out s*nitiz*tion. T*is m*t***s t** *l*ssi* r**l**t** XSS p*tt*rn w**r* us*r-*ontroll** input (URL p*r*m*t*r) is r**l**t** in output wit*out prop*