-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from three key flaws: 1) checkFlashVars' inadequate parameter validation allowed obfuscated parameters 2) parseStr's improper URL decoding enabled parameter injection 3) isIllegalChar's incomplete character filtering missed modern JS syntax. The commit 34834ee replaced these with strict query validation (isIllegalQuerystring) and removed dangerous parsing logic, confirming these functions were the vulnerability sources. The XSS occurred when specially crafted parameters bypassed these flawed security checks to execute arbitrary JavaScript.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mediaelement | npm | < 2.11.1 | 2.11.1 |
| contao-components/mediaelement | composer | >= 2.14.2, < 2.21.1 | 2.21.1 |
| contao/core | composer | >= 3.0.0, < 3.5.15 | 3.5.15 |