Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2023-1238

CVE-2023-1238:
Answer vulnerable to Cross-site Scripting

5.4

CVSS Score

Basic Information

CVE ID
CVE-2023-1238
GHSA ID
GHSA-5w78-v688-cx9q
EPSS Score
-
CWE
CWE-79
Published
3/7/2023
Updated
3/13/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/answerdev/answergo< 1.0.61.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from client-side markdown processing in the Comment component. Key evidence includes:

  1. Removal of 'marked' library import in the patch
  2. Elimination of client-side HTML generation via 'marked.parse(commentMarkDown)'
  3. Replacement of client-generated 'html' with server-provided 'res.parsed_text'
  4. The pattern matches classic XSS vulnerabilities where unsanitized user input is rendered as HTML
  5. The commit message explicitly references XSS fixes in comment handling
  6. CWE-79 classification confirms this is an output sanitization failure during web page generation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository *nsw*r**v/*nsw*r prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom *li*nt-si** m*rk*own pro**ssin* in t** *omm*nt *ompon*nt. K*y *vi**n** in*lu**s: *. R*mov*l o* 'm*rk**' li*r*ry import in t** p*t** *. *limin*tion o* *li*nt-si** *TML **n*r*tion vi* 'm*rk**.p*rs*(*omm*ntM*rk*own)' *. R*pl