Miggo Logo
Miggo Vulnerability Database
CVE-2017-7204

CVE-2017-7204: imdbphp Cross-Site Scripting (XSS)

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-7204
GHSA ID
GHSA-8jxq-gpmr-h4g4
EPSS Score
0.52978%
CWE
CWE-79
Published
5/17/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
imdbphp/imdbphpcomposer<= 5.1.15.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS vulnerability in imdbphp 5.1.1 stems from direct output of the $_GET['name'] parameter without proper escaping in search.php. While the patch introduced the esc() function to sanitize output, the vulnerable version lacked this mitigation. The root cause is not a specific vulnerable function but rather the absence of output sanitization in template rendering (echo $_GET['name'] in search.php). Since PHP's echo is a language construct and not a function, and the vulnerability arises from missing sanitization logic rather than a flawed function, no specific functions meet the criteria for inclusion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-Sit* S*riptin* (XSS) w*s *is*ov*r** in im**p*p *.*.*. T** vuln*r**ility *xists *u* to insu**i*i*nt *iltr*tion o* us*r-suppli** **t* (n*m*) p*ss** to t** "im**p*p-m*st*r/**mo/s**r**.p*p" URL. *n *tt**k*r *oul* *x**ut* *r*itr*ry *TML *n* s*ript

Reasoning

T** XSS vuln*r**ility in im**p*p *.*.* st*ms *rom *ir**t output o* t** $_**T['n*m*'] p*r*m*t*r wit*out prop*r *s**pin* in s**r**.p*p. W*il* t** p*t** intro*u*** t** *s*() *un*tion to s*nitiz* output, t** vuln*r**l* v*rsion l**k** t*is miti**tion. T**