-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pimcore/pimcore | composer | < 6.3.0 | 6.3.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the showEmailLogAction method in EmailController.php handling HTML email log rendering. The pre-patch version directly returned user-controlled HTML content via 'new Response($emailLog->getHtmlLog())' without CSP headers. This allowed untrusted script execution in the browser. The fix explicitly adds a Content-Security-Policy header to mitigate XSS. The function's direct output of un-sanitized HTML content combined with missing security headers makes it the clear vulnerable entry point.
Ongoing coverage of React2Shell