Miggo Logo
Miggo Vulnerability Database
CVE-2024-33748

CVE-2024-33748: MS Basic Cross-site Scripting vulnerability

4.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-33748
GHSA ID
GHSA-64cm-3cj3-67hf
EPSS Score
0.36592%
CWE
CWE-79
Published
5/7/2024
Updated
7/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.mingsoft:ms-basicmaven<= 2.1.13.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input sanitization in the search function's error handling. The GitHub analysis explicitly identifies XssHttpServletRequestWrapper.clean as the source where unsanitized exception messages (containing user input) are returned to the client. This class is part of the request processing chain before reaching Servlet, making it a logical location for input validation failures. The direct correlation between the error message reflection described and the XSS mechanism confirms this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** s**r** *un*tion in M*v*n n*t.min*so*t MS **si* *.*.**.* *n* **rli*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input s*nitiz*tion in t** s**r** *un*tion's *rror **n*lin*. T** *it*u* *n*lysis *xpli*itly i**nti*i*s `Xss*ttpS*rvl*tR*qu*stWr*pp*r.*l**n` *s t** sour** w**r* uns*nitiz** *x**ption m*ss***s (*ont*inin* us*r input