6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2589

GHSA ID

GHSA-6hcj-qrw3-m66q

EPSS Score

0.46282%

CWE

CWE-79

Published

8/2/2022

Updated

9/20/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2589

CVE-2022-2589: Fava vulnerable to reflected cross-site scripting

Fava before 1.22.3 is vulnerable to reflected cross-site scripting due to improper validation on filter conversion.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-2589

CVE-2022-2589:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2589

GHSA ID

GHSA-6hcj-qrw3-m66q

EPSS Score

0.46282%

CWE

CWE-79

Published

8/2/2022

Updated

9/20/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fava	pip	>= 0, < 1.22.3	1.22.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from multiple tooltip generation functions that constructed HTML content through unsafe string interpolation of user-controlled input. The patch replaces direct HTML string manipulation with DOM-safe methods (document.createTextNode, element creation). Key indicators include:

Use of template literals with embedded variables in HTML contexts
Reliance on innerHTML assignment in tooltip rendering (visible in tooltip.ts patches)
Direct handling of user-controlled values like account names, descriptions, and filter parameters without proper escaping
Commit message explicitly references XSS safety improvements
CWE-79 alignment with improper input neutralization in web page generation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-2589: Fava vulnerable to reflected cross-site scripting

CVE-2022-2589:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.1

6.1

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2022-2589: Fava vulnerable to reflected cross-site scripting

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI