Miggo Logo

CVE-2023-32193: Norman API Cross-site Scripting Vulnerability

8.3

CVSS Score
3.1

Basic Information

EPSS Score
0.22489%
Published
2/8/2024
Updated
10/16/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/rancher/normango< 0.0.0-20240207153100-3bb70b772b520.0.0-20240207153100-3bb70b772b52

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key areas: 1) In html.go, user-controlled URLs were inserted into HTML attributes without OWASP-recommended attribute encoding, as evidenced by the addition of encodeAttribute in the patch. 2) In url.go, the previous string-based URL construction method didn't properly escape path components, allowing XSS payloads in URLs. The patches specifically address these by introducing attribute encoding and using url.URL's safe path construction methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * vuln*r**ility **s ***n i**nti*i** in w*i** un*ut**nti**t** *ross-sit* s*riptin* (XSS) in Norm*n's pu*li* *PI *n*point **n ** *xploit**. T*is **n l*** to *n *tt**k*r *xploitin* t** vuln*r**ility to tri***r J*v*S*ript *o** *n* *x**ut* *omm

Reasoning

T** vuln*r**ility st*ms *rom two k*y *r**s: *) In `*tml.*o`, us*r-*ontroll** URLs w*r* ins*rt** into *TML *ttri*ut*s wit*out OW*SP-r**omm*n*** *ttri*ut* *n*o*in*, *s *vi**n*** *y t** ***ition o* `*n*o***ttri*ut*` in t** p*t**. *) In `url.*o`, t** pr*