-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ec-cube/ec-cube | composer | < 2.4.4 | 2.4.4 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from Smarty's escape filter being used without proper context specification in JavaScript event handlers. The patch added 'escape:"javascript"' to the template variables, indicating the original code lacked context-aware escaping. The REQUEST_URI parameter passed to fnChangeAction in onclick handlers was vulnerable to injection as it wasn't properly sanitized for JavaScript execution context, allowing attackers to craft malicious URLs containing XSS payloads.
Ongoing coverage of React2Shell