Miggo Logo
Miggo Vulnerability Database
CVE-2021-4172

CVE-2021-4172: Cross-site Scripting in showdoc

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-4172
GHSA ID
GHSA-7x22-pmw5-66mq
EPSS Score
0.40736%
CWE
CWE-79
Published
2/1/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
showdoc/showdoccomposer< 2.10.22.10.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability is a stored XSS via SVG uploads. The commit diff shows a critical modification in web_src/src/models/page.js where user-controlled values (one.value) were being concatenated into the page content without sanitization. While the vulnerability manifests via SVG uploads, the root cause is improper neutralization of input during content generation. The patch removed an unsafe interpolation of one.value, indicating this was part of the XSS vector. The function's direct handling of user-supplied data aligns with the CWE-79 XSS classification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Stor** XSS vi* uplo** *tt***m*nt wit* *orm*t .sv* in *il* Li*r*ry.

Reasoning

T** k*y vuln*r**ility is * stor** XSS vi* SV* uplo**s. T** *ommit *i** s*ows * *riti**l mo*i*i**tion in `w**_sr*/sr*/mo**ls/p***.js` w**r* us*r-*ontroll** v*lu*s (on*.v*lu*) w*r* **in* *on**t*n*t** into t** p*** *ont*nt wit*out s*nitiz*tion. W*il* t*