Miggo Logo

CVE-2023-29014: Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.70209%
Published
4/7/2023
Updated
4/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.goobi.viewer:viewer-coremaven< 23.0323.03

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient input validation in the setLogid method. The patch introduced a regex check ([\w-]+) and exception handling, indicating prior lack of XSS-safe validation. The function directly processes user-controlled LOGID parameter and was vulnerable to script injection before proper sanitization was added. SolrTools.escapeSpecialCharacters() alone doesn't prevent HTML/JS context XSS, making this the clear injection point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r**l**t** *ross-sit* s*riptin* vuln*r**ility **s ***n i**nti*i** in *oo*i vi*w*r *or* w**n *v*lu*tin* t** LO*I* p*r*m*t*r. *n *tt**k*r *oul* tri*k * us*r into *ollowin* * sp**i*lly *r**t** link to * *oo*i vi*w*r inst*ll*tion, r*sultin* i

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt input v*li**tion in t** s*tLo*i* m*t*o*. T** p*t** intro*u*** * r***x ****k ([\w-]+) *n* *x**ption **n*lin*, in*i**tin* prior l**k o* XSS-s*** v*li**tion. T** *un*tion *ir**tly pro**ss*s us*r-*ontroll** LO*I*