VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 19, 2019· Updated Aug 5, 2024

CVE-2019-13970

CVE-2019-13970

Description

A self-XSS vulnerability in antSword database configuration pages before version 2.1.0 allows attackers to achieve code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A self-XSS vulnerability in antSword database configuration pages before version 2.1.0 allows attackers to achieve code execution.

Vulnerability

Description

CVE-2019-13970 is a self-XSS vulnerability found in antSword versions prior to 2.1.0. The flaw exists in multiple database configuration modules: modules/database/asp/index.js, modules/database/custom/index.js, modules/database/index.js, and modules/database/php/index.js. The root cause is insufficient sanitization of user-controlled input displayed in the user interface, which allows an attacker to inject malicious JavaScript code that executes in the context of the application's Electron-based GUI [1] [2].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must first gain the ability to inject crafted payloads into database configuration fields that are subsequently rendered without proper escaping. In the context of antSword, which is a cross-platform website administration tool commonly used by penetration testers, an attacker could trick a user (e.g., via social engineering) into importing a malicious configuration or entering crafted data during database setup. The fix commit shows that the antSword.noxss() function was applied to sanitize text values such as connection type labels, display names, and other user-controllable strings [2] [3].

Impact

Successful exploitation of this self-XSS can lead to arbitrary code execution within the Electron application's context. Since antSword runs with Node.js integration enabled in Electron, an attacker who executes JavaScript in this environment can gain full access to the underlying system—reading local files, executing shell commands, and interacting with the system as the current user. This elevates a client-side injection vulnerability into a severe remote code execution scenario when combined with Electron's capabilities [1] [2].

Mitigation

Users should upgrade to antSword version 2.1.0 or later, where the self-XSS has been addressed by properly escaping user-supplied data using the noxss helper function before rendering it in the UI. The fix was applied in commit 4b932e81447b4b0475f4fce45525547395c249d3 and merged with the release of version 2.1.0. No official workaround exists for installations that cannot be updated [2] [3].

References
  1. NVD - CVE-2019-13970
  2. Comparing ed01dea...834063a · AntSwordProject/antSword
  3. (Fix: Database) fix #151 (thx @miaochiahao) · AntSwordProject/antSword@4b932e8

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
antswordnpm
< 2.1.02.1.0

Affected products

2

Patches

1
4b932e81447b

(Fix: Database) fix #151 (thx @miaochiahao)

https://github.com/AntSwordProject/antSwordMediceanApr 18, 2019via ghsa
commit
5 files changed · +5 4
  • CHANGELOG.md+1 0 modified
    @@ -4,6 +4,7 @@
 ## `v(2.0.7.3)
 
 * 主窗口增加 CSP 策略
+* Fix self-xss in database config #151 (thx @miaochiahao)
 
 ## `v(2.0.7.2)`
  • source/modules/database/asp/index.js+1 1 modified
    @@ -139,7 +139,7 @@ class ASP {
       items.push({
         id: `conn::${_}`,
         // text: `${conf[_]['type']}:\/\/${conf[_]['user']}@${conf[_]['host']}`,
-        text: conf[_]['type'].toUpperCase(),
+        text: antSword.noxss(conf[_]['type'].toUpperCase()),
         im0: this.manager.list.imgs[0],
         im1: this.manager.list.imgs[0],
         im2: this.manager.list.imgs[0]
  • source/modules/database/custom/index.js+1 1 modified
    @@ -124,7 +124,7 @@ class CUSTOM {
       items.push({
         id: `conn::${_}`,
         // text: `${conf[_]['type']}:\/\/${conf[_]['user']}@${conf[_]['host']}`,
-        text: conf[_]['type'].toUpperCase(),
+        text: antSword.noxss(conf[_]['type'].toUpperCase()),
         im0: this.manager.list.imgs[0],
         im1: this.manager.list.imgs[0],
         im2: this.manager.list.imgs[0]
  • source/modules/database/index.js+1 1 modified
    @@ -251,7 +251,7 @@ class Database {
         data_arr.push({
           id: i+1,
           data: [
-            func_mapping.hasOwnProperty(item[0]) ? func_mapping[item[0]] : item[0],
+            func_mapping.hasOwnProperty(item[0]) ? func_mapping[item[0]] : antSword.noxss(item[0]),
             parseInt(item[1]) === 1 ? "√" : "×",
           ],
           style: parseInt(item[1]) === 1 ? "background-color:#ADF1B9": "",
  • source/modules/database/php/index.js+1 1 modified
    @@ -288,7 +288,7 @@ class PHP {
     for (let _ in conf) {
       items.push({
         id: `conn::${_}`,
-        text: `${conf[_]['type']}:\/\/${conf[_]['user']}@${conf[_]['host']}`,
+        text: antSword.noxss(`${conf[_]['type']}:\/\/${conf[_]['user']}@${conf[_]['host']}`),
         im0: this.manager.list.imgs[0],
         im1: this.manager.list.imgs[0],
         im2: this.manager.list.imgs[0]

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.