VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 21, 2022· Updated Apr 15, 2025

chedabob whatismyudid mobileconfig.js exports.enrollment cross site scripting

CVE-2020-36621

Description

A vulnerability, which was classified as problematic, has been found in chedabob whatismyudid. Affected by this issue is the function exports.enrollment of the file routes/mobileconfig.js. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is bb33d4325fba80e7ea68b79121dba025caf6f45f. It is recommended to apply a patch to fix this issue. VDB-216470 is the identifier assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-36621 is a reflected XSS vulnerability in the `/enrollment` route of whatismyudid, allowing remote attackers to inject arbitrary scripts via the `udid` parameter.

Vulnerability

The vulnerability is a reflected cross-site scripting (XSS) issue in the exports.enrollment function within routes/mobileconfig.js of the chedabob/whatismyudid project. The function processes the udid parameter from the query string and later renders it in a response without proper sanitization or validation. Versions prior to commit bb33d4325fba80e7ea68b79121dba025caf6f45f are affected [1].

Exploitation

An attacker can craft a URL containing a malicious udid parameter (e.g., a script payload) and trick a user into visiting that link. No authentication or special network position is required; user interaction is needed to open the crafted URL. The unsanitized input is then rendered in the response, executing the injected script in the user's browser context.

Impact

Successful exploitation leads to reflected XSS, enabling the attacker to execute arbitrary JavaScript in the victim's session. This could result in theft of sensitive data (such as cookies or the user's UDID), session hijacking, or other client-side attacks within the application's domain.

Mitigation

The vulnerability is fixed in commit bb33d4325fba80e7ea68b79121dba025caf6f45f [1]. The patch introduces an extractValidUdid() function that validates the input against a strict pattern before storing or rendering it. It also sets the newudid cookie with httpOnly: true and secure: true (in production) to further mitigate exploitation. Users should update to the patched version. No workarounds are provided in the available references.

References
  1. fix: set cookie securely, and prevent XSS in the `/enrollment` route · chedabob/whatismyudid@bb33d43

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
bb33d4325fba

fix: set cookie securely, and prevent XSS in the `/enrollment` route

https://github.com/chedabob/whatismyudidMatt MaloneSep 30, 2020via osv
commit
2 files changed · +22 7
  • app.js+0 1 modified
    @@ -18,7 +18,6 @@ app.set('port', process.env.PORT || 3001);
 app.set('views', __dirname + '/views');
 app.set('view engine', 'pug');
 
-app.use(express.urlencoded({extended: true})); 
 app.use(cookieParser(process.env.COOKIE_KEY || 'f76210bc2acc4f54af5754e15b0aab05'));
 app.use(express.static(path.join(__dirname, 'public')));
 app.use(express.raw({
  • routes/mobileconfig.js+22 6 modified
    @@ -10,15 +10,20 @@ exports.enrollment = function(req, res){
     var query = url_parts.query;
     
     var tudid = query.udid;
-    if (tudid) // If it's in the query, store it and redirect (so the user doesn't see the UDID being sent in the URL)
+    if (tudid && extractValidUdid(tudid)) // If it's in the query, store it and redirect (so the user doesn't see the UDID being sent in the URL)
     {
-        res.cookie('newudid', query.udid, { maxAge: 10 * 60 * 1000});     // Store for 10 minutes
+        res.cookie('newudid', query.udid, 
+        { 
+            maxAge: 10 * 60 * 1000,
+            httpOnly: true,
+            secure: process.env.NODE_ENV === 'production'? true: false
+        });
         res.redirect('/enrollment');
     }
     else
     {
         var cookie = req.cookies.newudid;
-        if (cookie) {
+        if (cookie && extractValidUdid(cookie)) {
             // Found the cookie, let's render it
             res.render('udid', { udid: cookie, title: 'udid.fyi'});
         }
@@ -29,13 +34,24 @@ exports.enrollment = function(req, res){
     }
 }
 exports.enroll = function(req, res){
-    var match = req.body.toString().match(/(0000[\d]{4}-00[A-Fa-f\d]+)|([a-fA-F\d]{40})/);
+    var udid = extractValidUdid(req.body.toString())
 
-    if (match && match.length > 0) {
-        res.redirect(301,'/enrollment?udid=' + match[0]);
+    if (udid) {
+        res.redirect(301,'/enrollment?udid=' + udid);
     }
     else {
         res.status(400)
         res.send('Did not find a valid UDID in the body')
     }
 };
+
+function extractValidUdid (udid) {
+    const match = udid.match(/(0000[\d]{4}-00[A-Fa-f\d]+)|([a-fA-F\d]{40})/);
+
+    if (match && match.length > 0) {
+        return match[0]
+    }
+    else {
+        return null
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.