Miggo Logo
Miggo Vulnerability Database
CVE-2016-4855

CVE-2016-4855: ADOdb Cross-site scripting vulnerability in old test script

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-4855
GHSA ID
GHSA-hhfw-xxhm-pf32
EPSS Score
0.68835%
CWE
CWE-79
Published
5/17/2022
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
adodb/adodb-phpcomposer< 5.20.65.20.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from inline code in the 'tests/test.php' script that processes all GET parameters without proper validation, allowing attackers to inject arbitrary variables. The code in question is a foreach loop in the global scope (not within a named function) that blindly assigns user-supplied GET parameters to variables (using variable variables: $$k = $v). The lack of input validation here directly enables XSS. Since the vulnerable code is not encapsulated within a specific function but exists in the script's main execution flow, no named functions are identified as vulnerable with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* vuln*r**ility in **O** v*rsions prior to *.**.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* unsp**i*i** v**tors.

Reasoning

T** vuln*r**ility st*ms *rom inlin* *o** in t** 't*sts/t*st.p*p' s*ript t**t pro**ss*s *ll **T p*r*m*t*rs wit*out prop*r v*li**tion, *llowin* *tt**k*rs to inj**t *r*itr*ry v*ri**l*s. T** *o** in qu*stion is * *or**** loop in t** *lo**l s*op* (not wit