Miggo Logo
Miggo Vulnerability Database
CVE-2024-29504

CVE-2024-29504: Summernote vulnerable to cross-site scripting

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-29504
GHSA ID
GHSA-4wh3-3wf2-39m9
EPSS Score
0.60565%
CWE
CWE-79
Published
4/11/2024
Updated
4/12/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
summernotenpm<= 0.8.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from inadequate input sanitization when processing codeview content. The GitHub PR #3782 reveals that the core issue was in the dom_value function's lack of HTML entity escaping for &, <, and > characters. Additionally, the Codeview.toggle function's handling of raw HTML during mode switching (as demonstrated in the PoV with <script>alert(1)</script> payload) directly executes untrusted input. The patch attempts to address this by adding character escaping in dom_value, confirming these functions' roles in the vulnerability chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* vuln*r**ility in Summ*rnot* v.*.*.** *n* ***or* *llows * r*mot* *tt**k*r to *x**ut* *r*tir*ry *o** vi* * *r**t** p*ylo** to t** `*o**vi*w` p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom in***qu*t* input s*nitiz*tion w**n pro**ssin* *o**vi*w *ont*nt. T** *it*u* PR #**** r*v**ls t**t t** *or* issu* w*s in t** *om_v*lu* *un*tion's l**k o* *TML *ntity *s**pin* *or &, <, *n* > ***r**t*rs. ***ition*lly, t** *o