CVE-2010-10004: Information Cards Module vulnerable to Cross-site Scripting
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.18664%
CWE
Published
1/9/2023
Updated
10/13/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
simplesamlphp/simplesamlphp-module-infocard | composer | < 1.0 | 1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure output encoding in template files (templates/temp-getcardform.php
and templates/temp-login.php
), where user-controlled parameters like $this->data['stateparams']['AuthState']
, $this->data['username']
, and $this->data['password']
were directly embedded into HTML without proper escaping (via htmlspecialchars()
). While the commit diff shows the exact lines where XSS occurred, these are inline template rendering operations (echo statements) rather than discrete functions. The root cause is improper output encoding in template logic, not specific named functions.