-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| croogo/croogo | composer | < 4.0.0 | 4.0.0 |
Miggo AIRoot Cause AnalysisThe vulnerability manifests in page name rendering without adequate output encoding. While no specific PHP functions are named in sources, the XSS occurs in admin panel templates where user-controlled page names are displayed. In CakePHP-based applications like Croogo, template files (.ctp) using <?= $variable ?> without the h() helper for HTML escaping would be vulnerable. The reproduction steps confirm unsanitized output in admin views, making template rendering the logical location for the vulnerability.