7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-6mp4-q625-mxjp

GHSA-6mp4-q625-mxjp: YOURLS is vulnerable to XSS through JSONP and Callback request parameters

Summary

The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLS_PRIVATE is set to false (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.

Details

Vulnerability exists in the JSONP callback handling chain:

yourls-api.php:127-128

if( isset( $_REQUEST['callback'] ) )
    $return['callback'] = $_REQUEST['callback'];
elseif ( isset( $_REQUEST['jsonp'] ) )
    $return['callback'] = $_REQUEST['jsonp'];

includes/functions-api.php:127-128

$callback = isset( $output['callback'] ) ? $output['callback'] : '';
$result =  $callback . '(' . json_encode( $output ) . ')';

PoC

I. YOURLS instance with YOURLS_PRIVATE set to false in config.php or user authenticated to a private YOURLS instance.

II. curl "http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert(document.domain)//" Expected response: alert(document.domain)//({"version":"1.10.2","callback":"alert(document.domain)\/\/"})

Browser PoC file:

<!DOCTYPE html>
<html>
<head><title>pwn</title></head>
<body>
<h1>pwn</h1>
<script src="http://localhost:8080/yourls-api.php?action=version&format=jsonp&callback=alert('pwn');//"></script>
</body>
</html>

Impact

Public Mode (YOURLS_PRIVATE=false): Full exploitation, any unauthenticated user can trigger XSS. Private Mode (YOURLS_PRIVATE=true): XSS payload is injected into 403 response body but browser blocks script execution. However, authenticated users or admins accessing malicious links are still vulnerable.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-6mp4-q625-mxjp

GHSA-6mp4-q625-mxjp:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
yourls/yourls	composer	<= 1.10.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the handling of JSONP callback parameters in YOURLS. The entry point for the vulnerability is yourls-api.php, which reads the callback or jsonp parameter from the user's request. This unsanitized input is then passed to the yourls_api_output function in includes/functions-api.php. The yourls_api_output function, prior to the patch, would directly concatenate this user-provided string into the response, leading to a Cross-Site Scripting (XSS) vulnerability. The provided patch b1c6100e0aa6fef58c9c1a394ccc19352c3a480a confirms this by adding a validation step using the new yourls_validate_jsonp_callback function within yourls_api_output before the callback is used. Therefore, yourls_api_output is the function where the vulnerability is triggered.

Vulnerable functions

yourls_api_output

includes/functions-api.php

The function `yourls_api_output` is vulnerable to Cross-Site Scripting (XSS). It takes a callback parameter from the user request and directly concatenates it into the JSONP response without proper sanitization. This allows an attacker to inject arbitrary JavaScript code, which will be executed in the user's browser. The patch introduces a call to `yourls_validate_jsonp_callback` to validate the callback parameter before it is used, thus mitigating the vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-6mp4-q625-mxjp: YOURLS is vulnerable to XSS through JSONP and Callback request parameters

Summary

Details

PoC

Impact

GHSA-6mp4-q625-mxjp:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-6mp4-q625-mxjp: YOURLS is vulnerable to XSS through JSONP and Callback request parameters

Summary

Details

PoC

Impact

7.1

7.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI