Miggo Logo
Miggo Vulnerability Database
CVE-2022-40365

CVE-2022-40365:
ouqiang gocron Cross-site scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-40365
GHSA ID
GHSA-r947-2crg-xc39
EPSS Score
0.59052%
CWE
CWE-79
Published
9/15/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/ouqiang/gocrongo<= 1.5.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly tied to scope.row.hostname in list.vue's template rendering. XSS occurs when unescaped user-controlled input (hostname) is rendered in the DOM. Vue's default {{ }} syntax escapes content, but the presence of this vulnerability suggests unsafe rendering methods like v-html were used. The GitHub issue #362 confirms the exact location (line 91) where hostname is parsed as HTML, indicating a lack of output encoding in the template.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross sit* s*riptin* (XSS) vuln*r**ility in ouqi*n* *o*ron t*rou** *.*.*, *llows *tt**k*rs to *x**ut* *r*itr*ry *o** vi* s*op*.row.*ostn*m* in w**/vu*/sr*/p***s/t*skLo*/list.vu*.

Reasoning

T** vuln*r**ility is *xpli*itly ti** to `s*op*.row.*ostn*m*` in `list.vu*`'s t*mpl*t* r*n**rin*. XSS o**urs w**n un*s**p** us*r-*ontroll** input (`*ostn*m*`) is r*n**r** in t** *OM. Vu*'s ****ult {{ }} synt*x *s**p*s *ont*nt, *ut t** pr*s*n** o* t*is