-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a stored Cross-Site Scripting (XSS) issue in listmonk, where low-privileged users can inject malicious JavaScript into campaign or template content. The root cause of the vulnerability lies in the backend, where user-supplied input is not properly sanitized before being stored and rendered in different parts of the application, such as the campaign preview and the public archive page. The use of the Safe function in Go templates, as mentioned in the advisory, is a strong indicator of this.
The provided patch is a frontend mitigation that focuses on the campaign preview feature. It adds the sandbox="allow-scripts" attribute to the <iframe> in the CampaignPreview.vue component. This attempts to limit the damage of an XSS attack but does not fix the underlying vulnerability. The commit message explicitly states that this change does not address the vulnerability in other areas like the public archive page.
The identified vulnerable functions, CampaignPreview.mounted and CampaignPreview.onLoaded, are part of the frontend Vue.js component responsible for rendering the campaign preview. The mounted function initiates the loading of the malicious content, and onLoaded is called after the content is loaded. Therefore, these functions are key runtime indicators that would appear in a profiler during the exploitation of the XSS via the campaign preview feature.
CampaignPreview.mountedfrontend/src/components/CampaignPreview.vue
CampaignPreview.onLoadedfrontend/src/components/CampaignPreview.vue
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/knadh/listmonk | go | >= 1.1.1, < 6.0.0 | 6.0.0 |
| github.com/knadh/listmonk | go | < 1.1.1-0.20251231125615-74dc5a01cfbb | 1.1.1-0.20251231125615-74dc5a01cfbb |
A Semantic Attack on Google Gemini - Read the Latest Research