Miggo Logo

CVE-2022-24717: Cross Site Scripting (XSS) in @finastra/ssr-pages

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.5226%
Published
3/1/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@finastra/ssr-pagesnpm< 0.1.50.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly states XSS occurs when untrusted input is provided to redirect.link property passed to build(MessagePageOptions). The GitHub advisory and CVE both reference this function as the injection point. While the exact code diff isn't accessible, the commit references and vulnerability pattern (XSS in SSR page generation) strongly indicate that the build function failed to properly sanitize the redirect.link value before embedding it in HTML output.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross sit* s*riptin* (XSS) issu* **n o**ur w**n provi*in* untrust** input to t** `r**ir**t.link` prop*rty *s *n *r*um*nt to t** `*uil*(M*ss***P***Options)` *un*tion. ### R***r*n**s - *ttps://*it*u*.*om/*in*str*/ssr-p***s/pull/* - *ttps://*it*u*.*o

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s XSS o**urs w**n untrust** input is provi*** to `r**ir**t.link` prop*rty p*ss** to `*uil*(M*ss***P***Options)`. T** *it*u* **visory *n* *V* *ot* r***r*n** t*is *un*tion *s t** inj**tion point. W*il* t**