Miggo Logo
Miggo Vulnerability Database
CVE-2021-46871

CVE-2021-46871: phoenix_html allows Cross-site Scripting in HEEx class attributes

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-46871
GHSA ID
GHSA-5g2h-9x5v-5h3x
EPSS Score
0.27507%
CWE
CWE-79
Published
1/10/2023
Updated
4/6/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phoenix_htmlnpm< 3.0.43.0.4
phoenix_htmlerlang< 3.0.43.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit 62a0139 shows critical changes in tag.ex's class attribute handling:

  1. The class_value/1 function was modified to apply attr_escape to its output
  2. The build_attrs/1 function's logic was reordered to handle boolean attributes first, but more importantly, class list processing now flows through the escaped class_value
  3. Test cases were added to verify escaping of dangerous characters in class attributes This indicates the root cause was missing output encoding when constructing class attribute values, which is a direct XSS vector when user-controlled data is inserted into class attributes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

t**.*x in P*o*nix P*o*nix.*TML (*k* p*o*nix_*tml) ***or* *.*.* *llows XSS in ***x *l*ss *ttri*ut*s

Reasoning

T** *it*u* *ommit ******* s*ows *riti**l ***n**s in t**.*x's *l*ss *ttri*ut* **n*lin*: *. T** *l*ss_v*lu*/* *un*tion w*s mo*i*i** to *pply *ttr_*s**p* to its output *. T** *uil*_*ttrs/* *un*tion's lo*i* w*s r*or**r** to **n*l* *ool**n *ttri*ut*s *irs