CVE-2020-28470 – This vulnerability in @scullyio/scully allows c... (How to Fix)

Q: What is the severity of CVE-2020-28470?

CVE-2020-28470 has a CVSS score of 7.3 (HIGH). This vulnerability in @scullyio/scully allows cross-site scripting (XSS) attacks through improper serialization of transfer state data. Attackers can inject malicious scripts that execute when users view affected pages. Anyone using vulnerable versions of Scully for static site generation is affected.

📋 TL;DR

This vulnerability in @scullyio/scully allows cross-site scripting (XSS) attacks through improper serialization of transfer state data. Attackers can inject malicious scripts that execute when users view affected pages. Anyone using vulnerable versions of Scully for static site generation is affected.

💻 Affected Systems

Products:

@scullyio/scully

Versions: All versions before 1.0.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Scully-based static sites using transfer state functionality.

📦 What is this software?

Scully by Scully

View all CVEs affecting Scully →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, credential theft, and malware distribution to all site visitors.

🟠

Likely Case

Limited XSS attacks stealing session cookies or performing actions on behalf of authenticated users.

🟢

If Mitigated

No impact if proper content security policies and input validation are implemented alongside patching.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS exploitation is well-understood and tools exist to automate attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.9 and later

Vendor Advisory: https://github.com/scullyio/scully/pull/1182

Restart Required: Yes

Instructions:

1. Update package.json to specify @scullyio/scully version 1.0.9 or higher. 2. Run npm update @scullyio/scully. 3. Rebuild and redeploy your Scully application.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add strict CSP headers to prevent script execution from untrusted sources

Content-Security-Policy: default-src 'self'; script-src 'self'

Disable Transfer State

all

Remove or disable transfer state functionality if not required

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user-controlled data
Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json for @scullyio/scully version. If version is below 1.0.9, you are vulnerable.

Check Version:

npm list @scullyio/scully

Verify Fix Applied:

Confirm package.json shows @scullyio/scully version 1.0.9 or higher and rebuild application.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in HTML output
Suspicious characters in serialized JSON

Network Indicators:

Malicious script payloads in HTTP requests
Unexpected external script loads

SIEM Query:

web_requests WHERE url CONTAINS 'script' AND (body CONTAINS '<script>' OR body CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2020-28470

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-79

Published: January 14, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/scullyio/scully/pull/1182 Patch,Vendor Advisory
https://snyk.io/vuln/SNYK-JS-SCULLYIOSCULLY-1055829 Third Party Advisory
https://github.com/scullyio/scully/pull/1182 Patch,Vendor Advisory
https://snyk.io/vuln/SNYK-JS-SCULLYIOSCULLY-1055829 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28470, you might also want to check these: