Miggo Logo

CVE-2022-21690: OTF-001: Improper Input Sanitation: The path parameter of the requested URL is not sanitized before being passed to the QT frontend

8.7

CVSS Score
3.1

Basic Information

EPSS Score
0.53892%
Published
1/21/2022
Updated
10/7/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
onionshare-clipip< 2.52.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) In init.py, handle_request_individual_file_started passes the raw path parameter to IndividualFileHistoryItem. 2) In history.py, IndividualFileHistoryItem's constructor directly uses this path parameter to initialize a QLabel without sanitization or explicit text format setting. QT's QLabel automatically interprets HTML-like content when text format isn't explicitly set to plain text, creating an XSS-like vulnerability. Both functions are explicitly referenced in the provided code snippets and vulnerability description, with clear data flow from URL parameter to dangerous rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tw**n S*pt*m**r **, **** *n* O*to**r *, ****, [R**i**lly Op*n S**urity](*ttps://www.r**i**llyop*ns**urity.*om/) *on*u*t** * p*n*tr*tion t*st o* OnionS**r* *.*, *un*** *y t** Op*n T***nolo*y *un*'s [R** T**m l**](*ttps://www.op*nt***.*un*/l**s/r**-t

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) In __init__.py, **n*l*_r*qu*st_in*ivi*u*l_*il*_st*rt** p*ss*s t** r*w p*t* p*r*m*t*r to In*ivi*u*l*il**istoryIt*m. *) In *istory.py, In*ivi*u*l*il**istoryIt*m's *onstru*tor *ir**tly us*s t*is p*t* p*r*m