CVE-2021-4272: studygolang vulnerable to cross-site scripting
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.16495%
CWE
Published
12/21/2022
Updated
4/5/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/studygolang/studygolang | go | <= 0.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from processing user-controlled markdown content through the marked
library without adequate sanitization before setting HTML content. The commit patch adds client-side tag replacement for <script>
, <form>
, etc., demonstrating the original code lacked these protections. The XSS occurs when unsanitized output from marked()
is injected into DOM via $(this).html(contentHtml)
. While no explicit function name is given, the marked()
processing chain in topics.js
is the clear vulnerable point.