Miggo Logo
Miggo Vulnerability Database
CVE-2018-12290

CVE-2018-12290: Yii2-StateMachine extension for Yii2 XSS Vulnerability

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-12290
GHSA ID
GHSA-65qg-f77j-cccf
EPSS Score
0.47285%
CWE
CWE-79
Published
5/14/2022
Updated
10/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ptheofan/yii2-statemachinecomposer>= 2.0.0-RC1, <= 2.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The exploit demonstrates XSS via the 'role' parameter, indicating insufficient input sanitization. In Yii2, XSS typically occurs when user-controlled data (like $_GET parameters) is rendered in views without escaping. While the exact functions/files aren't specified in advisories, the role parameter's involvement suggests vulnerabilities in controller actions handling input and view templates rendering it. Confidence is medium due to the lack of explicit code references but strong contextual alignment with Yii2 XSS patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Yii*-St*t*M***in* *xt*nsion v*.x.x *or Yii* **s XSS.

Reasoning

T** *xploit **monstr*t*s XSS vi* t** 'rol*' p*r*m*t*r, in*i**tin* insu**i*i*nt input s*nitiz*tion. In Yii*, XSS typi**lly o**urs w**n us*r-*ontroll** **t* (lik* `$_**T` p*r*m*t*rs) is r*n**r** in vi*ws wit*out *s**pin*. W*il* t** *x**t `*un*tions`/`*