Miggo Logo
Miggo Vulnerability Database
CVE-2022-2523

CVE-2022-2523: Fava vulnerable to Reflected Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2523
GHSA ID
GHSA-q8hg-3vqv-f8v3
EPSS Score
0.53186%
CWE
CWE-79
Published
7/26/2022
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
favapip>= 0, < 1.22.21.22.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper use of Svelte's @html directive in two locations:

  1. In EntryContext.svelte, directly rendering inventory data as HTML via join("<br>") without sanitization
  2. In Query.svelte, directly rendering error messages as HTML. Both patterns allowed user-controlled input (via query_string parameter) to be interpreted as raw HTML. The fix replaced these with safe context-aware escaping ({amount} and {error}) and explicit <br/> elements, confirming the vulnerable pattern was improper HTML injection through @html.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - R**l**t** in *it*u* r*pository ***n*ount/**v* prior to *.**.*. T** `qu*ry_strin*` p*r*m*t*r o* **v* is vuln*r**l* to r**l**t** *ross-sit* s*riptin*, *or w*i** * *tt**k*r **n mo*i*y *ny in*orm*tion t**t t** us*r is **l* to

Reasoning

T** vuln*r**ility st*ms *rom improp*r us* o* Sv*lt*'s @*tml *ir**tiv* in two lo**tions: *. In *ntry*ont*xt.sv*lt*, *ir**tly r*n**rin* inv*ntory **t* *s *TML vi* join("<*r>") wit*out s*nitiz*tion *. In Qu*ry.sv*lt*, *ir**tly r*n**rin* *rror m*ss***s *