Miggo Logo
Miggo Vulnerability Database
CVE-2022-25929

CVE-2022-25929: Smoothie vulnerable to Cross-site Scripting when tooltipLabel or strokeStyle are controlled by users

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25929
GHSA ID
GHSA-g662-qq45-ppwm
EPSS Score
0.33174%
CWE
CWE-79
Published
12/21/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
smoothienpm>= 1.31.0, < 1.36.11.36.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the tooltipFormatter function building HTML through unsafe string concatenation of user-controlled properties. The commit diff shows the original implementation used innerHTML with raw user input in strokeStyle and tooltipLabel, while the patch switched to DOM element creation methods (createElement, createTextNode) to prevent HTML injection. The function's direct handling of these user-controlled properties in HTML generation makes it the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** smoot*i* *rom *.**.* *n* ***or* *.**.* *r* vuln*r**l* to *ross-sit* S*riptin* (XSS) *u* to improp*r us*r input s*nitiz*tion in strok*Styl* *n* tooltipL***l prop*rti*s. *xploitin* t*is vuln*r**ility is possi*l* w**n t** us*r **n *ontrol t*

Reasoning

T** vuln*r**ility st*ms *rom t** tooltip*orm*tt*r *un*tion *uil*in* *TML t*rou** uns*** strin* *on**t*n*tion o* us*r-*ontroll** prop*rti*s. T** *ommit *i** s*ows t** ori*in*l impl*m*nt*tion us** inn*r*TML wit* r*w us*r input in strok*Styl* *n* toolti