Miggo Logo

CVE-2023-0488: Cross-site Scripting in pyload-ng

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.49854%
Published
1/27/2023
Updated
2/7/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyload-ngpip< 0.5.0b3.dev420.5.0b3.dev42

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from HTML injection in package link generation. Both affected files show the same pattern: constructing <a> tags with raw 'link.url' and 'link.name' values. The patch adds 'onclick='return false'' to prevent link execution, indicating these were active XSS vectors. The functions are vulnerable because they directly interpolate user-controlled data into DOM elements without proper escaping or sanitization, meeting CWE-79 criteria for improper input neutralization during web page generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository pylo**/pylo** prior to *.*.***.**v**.

Reasoning

T** vuln*r**ility st*ms *rom *TML inj**tion in p**k*** link **n*r*tion. *ot* *****t** *il*s s*ow t** s*m* p*tt*rn: *onstru*tin* <*> t**s wit* r*w 'link.url' *n* 'link.n*m*' v*lu*s. T** p*t** ***s 'on*li*k='r*turn **ls*'' to pr*v*nt link *x**ution, in