7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20178

GHSA ID

GHSA-2q79-56rq-8v3c

EPSS Score

0.25813%

CWE

CWE-200

Published

2/21/2023

Updated

10/20/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-20178

CVE-2017-20178: Codiad information disclosure vulnerability

A vulnerability was found in Codiad 2.8.0. It has been rated as problematic. Affected by this issue is the function saveJSON of the file components/install/process.php. The manipulation of the argument data leads to information disclosure. The attack may be launched remotely. Upgrading to version 2.8.1 is able to address this issue. The name of the patch is 517119de673e62547ee472a730be0604f44342b5. It is recommended to upgrade the affected component. VDB-221498 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20178

GHSA ID

GHSA-2q79-56rq-8v3c

EPSS Score

0.25813%

CWE

CWE-200

Published

2/21/2023

Updated

10/20/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
codiad/codiad	composer	< 2.8.1	2.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the saveJSON function's insecure data formatting. The original implementation wrote JSON data as a PHP comment without line breaks (<?php/*|{data}|*/?>). This structure could be misinterpreted by some PHP processors, allowing the JSON payload to be served as plaintext. The patch explicitly adds \r\n line breaks around the JSON data to ensure proper comment parsing. The function's direct role in handling sensitive data storage and the explicit reference in CVE/GHSA advisories confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in *o*i** *.*.*. It **s ***n r*t** *s pro*l*m*ti*. *****t** *y t*is issu* is t** *un*tion s*v*JSON o* t** *il* *ompon*nts/inst*ll/pro**ss.p*p. T** m*nipul*tion o* t** *r*um*nt **t* l***s to in*orm*tion *is*losur*. T** *tt**k

Reasoning

T** vuln*r**ility st*ms *rom t** s*v*JSON *un*tion's ins**ur* **t* *orm*ttin*. T** ori*in*l impl*m*nt*tion wrot* JSON **t* *s * P*P *omm*nt wit*out lin* *r**ks (<?p*p/*|{**t*}|*/?>). T*is stru*tur* *oul* ** misint*rpr*t** *y som* P*P pro**ssors, *llo

7.5

Basic Information

Concerned about an active attack path?

CVE-2017-20178: Codiad information disclosure vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI