-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from unescaped output of query string parameters in backend login handlers. While no patch diffs are available, the consistent references to backend/Login and backend/Login/load endpoints across all vulnerability descriptions indicate the controller actions handling these routes are the injection points. These controller methods would process the request parameters and pass them to views without proper sanitization in vulnerable versions (<5.5.8). The XSS payloads shown in Netsparker's examples demonstrate direct reflection of unsanitized query parameters in HTML responses.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| shopware/shopware | composer | < 5.5.8 | 5.5.8 |
Ongoing coverage of React2Shell