Miggo Logo

CVE-2022-2932: Cross site scripting in mobiledoc-kit

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.59368%
Published
8/23/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mobiledoc-kitnpm< 0.14.20.14.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence is the dependency upgrade from mobiledoc-dom-renderer@0.7.1 to 0.7.2 in the patch. Since the CVE describes a reflected XSS vulnerability and mobiledoc-dom-renderer handles raw HTML rendering, the vulnerability likely existed in its DOM construction logic. The patch specifically updates this critical dependency without modifying mobiledoc-kit's own codebase, indicating the vulnerability resided in the renderer's handling of untrusted input during HTML element creation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - R**l**t** in *it*u* r*pository *ustl*/mo*il**o*-kit prior to *.**.*.

Reasoning

T** k*y *vi**n** is t** **p*n**n*y up*r*** *rom mo*il**o*-*om-r*n**r*r@*.*.* to *.*.* in t** p*t**. Sin** t** *V* **s*ri**s * r**l**t** XSS vuln*r**ility *n* mo*il**o*-*om-r*n**r*r **n*l*s r*w *TML r*n**rin*, t** vuln*r**ility lik*ly *xist** in its *