Miggo Logo

CVE-2022-3072: francoisjacquet/rosariosis vulnerable to Cross-Site Scripting (XSS)

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.41642%
Published
9/2/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
francoisjacquet/rosariosiscomposer< 8.9.38.9.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit dcd3b86 explicitly shows the removal of '.svg' from the FileExtensionWhiteList() in FileUpload.fnc.php, with the comment stating this fixes a stored XSS issue. SVG files are inherently risky for XSS as they can contain executable scripts, and allowing them without sanitization creates a direct vulnerability. The patch confirms this was the attack vector by disabling SVG uploads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository *r*n*oisj**qu*t/ros*riosis prior to *.*.*.

Reasoning

T** *ommit ******* *xpli*itly s*ows t** r*mov*l o* '.sv*' *rom t** `*il**xt*nsionW*it*List()` in `*il*Uplo**.*n*.p*p`, wit* t** *omm*nt st*tin* t*is *ix*s * stor** XSS issu*. SV* *il*s *r* in**r*ntly risky *or XSS *s t**y **n *ont*in *x**ut**l* s*rip