Miggo Logo

CVE-2021-45895: Cross-site Scripting in Netgen Tags Bundle

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.47285%
Published
1/6/2022
Updated
9/13/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
netgen/tagsbundlecomposer>= 3.4.0, < 3.4.113.4.11
netgen/tagsbundlecomposer>= 4.0.0, < 4.0.154.0.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information lacks concrete technical details about the vulnerability's root cause. While the advisory confirms XSS in the Tags Admin interface, there are no available commit diffs, patch details, or code examples showing the vulnerable implementation. XSS vulnerabilities typically involve insufficient output encoding when rendering user-controlled data, which could occur in Twig templates or controller methods handling tag data. However, without specific code references from the patches (e.g., changes to template escaping or input sanitization functions), we cannot confidently identify exact vulnerable functions or their file paths. The release notes mention the fix but provide no technical specifics required for precise function identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

N*t**n T**s *un*l* *.*.x ***or* *.*.** *n* *.*.x ***or* *.*.** *llows XSS in t** T**s **min int*r****.

Reasoning

T** provi*** in*orm*tion l**ks *on*r*t* t***ni**l **t*ils **out t** vuln*r**ility's root **us*. W*il* t** **visory *on*irms XSS in t** T**s **min int*r****, t**r* *r* no *v*il**l* *ommit *i**s, p*t** **t*ils, or *o** *x*mpl*s s*owin* t** vuln*r**l* i