-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a stored Cross-Site Scripting (XSS) issue in Piranha CMS. The analysis of the commits between the vulnerable version (12.0.0) and the patched version (12.1) revealed a security fix in commit 0a1e5081b9e954856ad9fe641335ab049b27090d. This commit addresses an XSS vulnerability by adding input sanitization using DOMPurify.
The patch modifies the quote-block.vue and text-block.vue components. In quote-block.vue, the onAuthorBlur and onBodyBlur methods were vulnerable because they directly assigned user-provided innerText from a content-editable field to the data model. In text-block.vue, the v-model directive on a textarea was replaced with a new onChange method that sanitizes the input. These changes prevent attackers from injecting and storing malicious scripts.
While the vulnerability description specifies the 'Media module' and 'Name field', the identified patch applies to the 'quote' and 'text' content blocks. This suggests a possible discrepancy in the vulnerability's description in the advisory. However, the nature of the fix in the identified commit directly corresponds to a stored XSS vulnerability and is the only security-related change in the analyzed version range.
quote-block.onAuthorBlurcore/Piranha.Manager/assets/src/js/components/blocks/quote-block.vue
quote-block.onBodyBlurcore/Piranha.Manager/assets/src/js/components/blocks/quote-block.vue
text-block.onChangecore/Piranha.Manager/assets/src/js/components/blocks/text-block.vue
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Piranha | nuget | <= 12.0.0 |