Miggo Logo

CVE-2022-25646: x-data-spreadsheet through 1.1.9 vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.59581%
Published
8/31/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
x-data-spreadsheetnpm<= 1.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized cell content rendering. Since the package handles spreadsheet data display, the core cell rendering function would be responsible for outputting user-controlled values to the DOM. The provided PoC demonstrates that raw HTML/JS in cells executes when rendered, indicating the renderer doesn't sanitize outputs. While exact code isn't available, cell rendering components are the logical location for this vulnerability given the XSS through cell input description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** x-**t*-spr***s***t *r* vuln*r**l* to *ross-sit* S*riptin* (XSS) *u* to missin* s*nitiz*tion o* v*lu*s ins*rt** into t** **lls.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** **ll *ont*nt r*n**rin*. Sin** t** p**k*** **n*l*s spr***s***t **t* *ispl*y, t** *or* **ll r*n**rin* *un*tion woul* ** r*sponsi*l* *or outputtin* us*r-*ontroll** v*lu*s to t** *OM. T** provi*** Po* **monstr*t*s