-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe commit 8a4ac53 shows added HTML escaping (e() function) around title/file_name output in multiple file upload templates. The vulnerability manifests in profile image caption handling, which uses these templates. Before the patch, user-controlled title values were directly interpolated into HTML without sanitization, enabling XSS when administrators view malicious user profiles. The affected partial templates (_image_single.htm and _image_multi.htm) are clearly identified in the diff as the vulnerable points where output encoding was missing.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| october/october | composer | < 1.0.319 | 1.0.319 |
PHPPHPOngoing coverage of React2Shell