Miggo Logo
Miggo Vulnerability Database
CVE-2022-32167

CVE-2022-32167: Cross site scripting in Cloudreve

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-32167
GHSA ID
GHSA-fg25-gq9g-32mx
EPSS Score
0.43907%
CWE
CWE-79
Published
9/21/2022
Updated
7/7/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/HFO4/cloudrevego>= 1.0.0, <= 2.0.0
github.com/cloudreve/Cloudreve/v3go>= 3.0.0, < 3.6.0-beta13.6.0-beta1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing Content-Security-Policy sandbox headers in file preview handlers. The patch adds middleware.Sandbox() to these routes, which implements 'Content-Security-Policy: sandbox'. The affected controller functions handled file content delivery without this protection in vulnerable versions, allowing malicious HTML/JS files to execute when previewed. The direct correlation between the added security middleware and these handler functions in the commit diff confirms their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*lou*r*v* v*rsions v*.*.* t*rou** v*.*.* *r* vuln*r**l* to Stor** *ross-Sit* S*riptin* (XSS), vi* t** *il* uplo** *un*tion*lity. * low privil**** us*r will ** **l* to s**r* * *il* wit* *n **min us*r, w*i** *oul* l*** to privil*** *s**l*tion.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ont*nt-S**urity-Poli*y s*n**ox *****rs in *il* pr*vi*w **n*l*rs. T** p*t** ***s mi**l*w*r*.S*n**ox() to t**s* rout*s, w*i** impl*m*nts '*ont*nt-S**urity-Poli*y: s*n**ox'. T** *****t** *ontroll*r *un*tions **n*l**