Miggo Logo
Miggo Vulnerability Database
CVE-2022-25037

CVE-2022-25037: wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function

N/A

CVSS Score

Basic Information

CVE ID
CVE-2022-25037
GHSA ID
GHSA-9hfw-cvf4-5x25
EPSS Score
0.36929%
CWE
-
Published
5/31/2024
Updated
6/4/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
@wangeditor/editornpm<= 4.7.114.7.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized user input in image upload handling. The commit diff shows the patched version added HTML entity encoding for src/alt attributes and replaced dangerous string concatenation with DOM property setting. The original vulnerable code in upload-img.ts directly interpolated user-controlled values (src, alt, href) into HTML strings without escaping, enabling XSS payloads like "><img src=1 onerror=alert(1)>. Test cases in upload-img.test.ts confirm XSS scenarios were possible through image URL and alt text inputs. This matches the CVE description of image upload XSS and the GHSA advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * *ross-sit* s*riptin* (XSS) issu* in w*n***itor vi* t** im*** uplo** *un*tion in v*rsion *.*.**. T*is issu* **s ***n *ix** in v*rsion *.*.**.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us*r input in im*** uplo** **n*lin*. T** *ommit *i** s*ows t** p*t**** v*rsion ***** *TML *ntity *n*o*in* *or sr*/*lt *ttri*ut*s *n* r*pl**** **n**rous strin* *on**t*n*tion wit* *OM prop*rty s*ttin*. T** ori*i