Miggo Logo
Miggo Vulnerability Database
CVE-2021-4263

CVE-2021-4263: leanote vulnerable to cross-site scripting

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-4263
GHSA ID
GHSA-6cmv-2548-82v4
EPSS Score
0.18277%
CWE
CWE-79
Published
12/21/2022
Updated
10/20/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/leanote/leanotego<= 2.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped user-controlled 'content' being directly injected into DOM via .html() in the history module. The pre-patch code lacked sanitization (added via trimTitle() in the fix), making the module's HTML rendering function vulnerable. The commit diff explicitly shows the vulnerable code path in the history.js module's markdown handling branch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, **s ***n *oun* in l**not*. T*is issu* *****ts t** *un*tion ***in* o* t** *il* `pu*li*/js/plu*ins/*istory.js`. T** m*nipul*tion o* t** *r*um*nt *ont*nt l***s to *ross sit* s*riptin*. T** *tt**k m*y

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** us*r-*ontroll** '*ont*nt' **in* *ir**tly inj**t** into *OM vi* `.*tml()` in t** *istory mo*ul*. T** pr*-p*t** *o** l**k** s*nitiz*tion (***** vi* `trimTitl*()` in t** *ix), m*kin* t** mo*ul*'s *TML r*n**rin* *un