Miggo Logo

CVE-2022-1988: Cross-site Scripting in FacturaScripts

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.43299%
Published
6/4/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
facturascripts/facturascriptscomposer<= 2022.08

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input sanitization order in the test() method. The patch moved the noHtml() sanitization call to execute before any validation checks, ensuring 'descripcion' is always sanitized. This indicates the original implementation allowed unsanitized input to persist when early validation checks failed, creating an XSS vector. The direct code modification in the commit and added unit test for HTML escaping confirm this as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***tur*S*ripts ****.** *n* prior is vuln*r**l* to *ross-sit* s*riptin*. * p*t** is *v*il**l* on t** `m*st*r` *r*n** o* t** r*pository *n* *nti*ip*t** to ** p*rt o* v*rsion ****.**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input s*nitiz*tion or**r in t** `t*st()` m*t*o*. T** p*t** mov** t** `no*tml()` s*nitiz*tion **ll to *x**ut* ***or* *ny v*li**tion ****ks, *nsurin* '**s*rip*ion' is *lw*ys s*nitiz**. T*is in*i**t*s t** ori*in*l i