Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-41924

CVE-2021-41924:
Cross-site Scripting in krayin/laravel-crm

6.1

CVSS Score

Basic Information

CVE ID
CVE-2021-41924
GHSA ID
GHSA-v829-j9rr-85v9
EPSS Score
-
CWE
CWE-79
Published
6/22/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
krayin/laravel-crmcomposer< 1.2.21.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence comes from the commit diff showing replacement of v-html with v-text in table-body.vue. Vue's v-html directive directly interprets HTML without sanitization, making it XSS-prone when rendering user-controlled data. The patch specifically addresses this by switching to text interpolation which auto-escapes content. The file path and component match the vulnerability context described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**kul kr*yin *rm ***or* *.*.* is vuln*r**l* to *ross Sit* S*riptin* (XSS).

Reasoning

T** k*y *vi**n** *om*s *rom t** *ommit *i** s*owin* r*pl***m*nt o* v-*tml wit* v-t*xt in t**l*-*o*y.vu*. Vu*'s v-*tml *ir**tiv* *ir**tly int*rpr*ts *TML wit*out s*nitiz*tion, m*kin* it XSS-pron* w**n r*n**rin* us*r-*ontroll** **t*. T** p*t** sp**i*i*