Miggo Logo

CVE-2010-10004: Information Cards Module vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.18664%
Published
1/9/2023
Updated
10/13/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
simplesamlphp/simplesamlphp-module-infocardcomposer< 1.01.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure output encoding in template files (templates/temp-getcardform.php and templates/temp-login.php), where user-controlled parameters like $this->data['stateparams']['AuthState'], $this->data['username'], and $this->data['password'] were directly embedded into HTML without proper escaping (via htmlspecialchars()). While the commit diff shows the exact lines where XSS occurred, these are inline template rendering operations (echo statements) rather than discrete functions. The root cause is improper output encoding in template logic, not specific named functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in In*orm*tion **r*s Mo*ul* *n* *l*ssi*i** *s pro*l*m*ti*. T*is issu* *****ts som* unknown pro**ssin*. T** m*nipul*tion l***s to *ross sit* s*riptin*. T** *tt**k m*y ** initi*t** r*mot*ly. Up*r**in* to v*rsion *.* is **l* to

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* output *n*o*in* in t*mpl*t* *il*s (`t*mpl*t*s/t*mp-**t**r**orm.p*p` *n* `t*mpl*t*s/t*mp-lo*in.p*p`), w**r* us*r-*ontroll** p*r*m*t*rs lik* `$t*is->**t*['st*t*p*r*ms']['*ut*St*t*']`, `$t*is->**t*['us*rn*m*']`, *n*