6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-15484

GHSA ID

GHSA-fp8m-xw3f-6h7x

EPSS Score

0.53281%

CWE

CWE-79

Published

5/24/2022

Updated

4/23/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-15484

CVE-2019-15484: Bolt Cross-site Scripting (XSS) via an image's alt or title field

Bolt before 3.6.10 has XSS via an image's alt or title field.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-15484

CVE-2019-15484:

6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-15484

GHSA ID

GHSA-fp8m-xw3f-6h7x

EPSS Score

0.53281%

CWE

CWE-79

Published

5/24/2022

Updated

4/23/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bolt/bolt	composer	< 3.6.10	3.6.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: 1) Insufficient input sanitization when storing user-controlled alt/title fields in the admin interface (FileManagerController), and 2) Lack of proper HTML attribute escaping during template rendering (TemplateTwigExtension). The patch in 3.6.10 (#7801) specifically targeted these areas by adding HTML escaping for these fields, confirming these as the vulnerable components. The authenticated XSS vector aligns with FileManagerController's role in handling privileged user input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-15484: Bolt Cross-site Scripting (XSS) via an image's alt or title field

CVE-2019-15484:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.1

6.1

CVE-2019-15484: Bolt Cross-site Scripting (XSS) via an image's alt or title field

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI