Miggo Logo
Miggo Vulnerability Database
CVE-2022-48345

CVE-2022-48345:
@braintree/sanitize-url Cross-site Scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-48345
GHSA ID
GHSA-q8gg-vj6m-hgmj
EPSS Score
0.62905%
CWE
CWE-79
Published
2/24/2023
Updated
3/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@braintree/sanitize-urlnpm< 6.0.16.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch modified 1) decodeHtmlCharacters to handle entities and 2) updated the urlSchemeRegex to detect :. The vulnerability manifests in these two areas: failure to normalize tab entities before decoding, and inability to detect HTML-encoded colons in protocol schemes. Both functions directly process attacker-controlled input and were missing critical entity handling pre-patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

s*nitiz*-url (*k* @*r*intr**/s*nitiz*-url) ***or* *.*.* *llows XSS vi* *TML *ntiti*s.

Reasoning

T** p*t** mo*i*i** *) ***o***tml***r**t*rs to **n*l* &T**; *ntiti*s *n* *) up**t** t** `urlS***m*R***x` to **t**t &*olon;. T** vuln*r**ility m*ni**sts in t**s* two *r**s: **ilur* to norm*liz* t** *ntiti*s ***or* ***o*in*, *n* in**ility to **t**t *TML