Miggo Logo
Miggo Vulnerability Database
CVE-2023-26131

CVE-2023-26131: Algernon engine and themes vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26131
GHSA ID
GHSA-g47h-fgcw-g4ph
EPSS Score
0.45489%
CWE
CWE-79
Published
5/31/2023
Updated
11/4/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/xyproto/algernongo<= 1.15.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies themes.NoPage(filename, theme) as the XSS source. The implementation in themes/html.go line 145 shows unsafe concatenation of the filename parameter into HTML output. The handler in engine/handlers.go line 514 calls this function with unsanitized user input from the request URL path, creating a reflected XSS vulnerability when serving 404 error pages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** *it*u*.*om/xyproto/*l**rnon/*n*in*; *ll v*rsions o* t** p**k*** *it*u*.*om/xyproto/*l**rnon/t**m*s *r* vuln*r**l* to *ross-sit* S*riptin* (XSS) vi* t** `t**m*s.NoP***(*il*n*m*, t**m*)` *un*tion *u* to improp*r us*r input s

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s t**m*s.NoP***(*il*n*m*, t**m*) *s t** XSS sour**. T** impl*m*nt*tion in t**m*s/*tml.*o lin* *** s*ows uns*** *on**t*n*tion o* t** *il*n*m* p*r*m*t*r into *TML output. T** **n*l*r in *n*in*/**n*l*r