Miggo Logo
Miggo Vulnerability Database
CVE-2022-47419

CVE-2022-47419: Mayan EDMS DMS XSS vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-47419
GHSA ID
GHSA-5m6v-2xgf-qhrw
EPSS Score
0.3727%
CWE
CWE-79
Published
2/8/2023
Updated
11/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mayan-edmspip< 4.3.64.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the tag selection interface where user-controlled tag labels were rendered without proper sanitization. The vendor's patch notes specifically mention adding sanitization to the Select2 widget template used for tag selection. This indicates the rendering function for tag widgets was vulnerable due to missing output encoding. While exact code isn't available, the pattern matches common Django widget vulnerabilities where user-supplied data is directly interpolated into HTML templates without escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XSS vuln*r**ility w*s *is*ov*r** in t** M*y*n **MS *MS. Su***ss*ul XSS *xploit*tion w*s o*s*rv** in t** in-pro*u*t t***in* syst*m.

Reasoning

T** vuln*r**ility m*ni**sts in t** t** s*l**tion int*r**** w**r* us*r-*ontroll** t** l***ls w*r* r*n**r** wit*out prop*r s*nitiz*tion. T** v*n*or's p*t** not*s sp**i*i**lly m*ntion ***in* s*nitiz*tion to t** `S*l**t*` wi***t t*mpl*t* us** *or t** s*l