Miggo Logo

CVE-2024-57556: Cross Site Scripting vulnerability in store2

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.28177%
Published
1/24/2025
Updated
1/24/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
store2npm< 2.14.42.14.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the store.deep.js component's use of eval() in processing keys, as explicitly shown in GitHub issue #127. The proof-of-concept demonstrates XSS via crafted keys containing semicolons and alert() calls. The patch in PR #128 replaces eval() with a safe path resolution mechanism, confirming this was the vulnerable function. The combination of user-controlled input reaching eval() without proper sanitization creates the XSS vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* vuln*r**ility in n*u*n* stor* v.*.**.* *n* ***or* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* t** stor*.***p.js *ompon*nt

Reasoning

T** vuln*r**ility st*ms *rom t** `stor*.***p.js` *ompon*nt's us* o* `*v*l()` in pro**ssin* k*ys, *s *xpli*itly s*own in *it*u* issu* #***. T** proo*-o*-*on**pt **monstr*t*s XSS vi* *r**t** k*ys *ont*inin* s*mi*olons *n* `*l*rt()` **lls. T** p*t** in