CVE-2019-9553: Bolt Cross-site Scripting via the slug, teaser or title parameters
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.75985%
CWE
Published
5/24/2022
Updated
4/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
bolt/bolt | composer | = 3.6.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The provided vulnerability information indicates XSS in Bolt 3.6.4 via slug, teaser, and title parameters in the editcontent/pages endpoint, but no specific code snippets, commit diffs, or implementation details are available to identify exact vulnerable functions. While the exploit demonstrates parameter injection via POST requests, the advisory lacks sufficient technical details about input handling mechanisms, template rendering functions, or validation routines to confidently map to specific PHP functions/classes. Without access to the unpatched source code or patch comparisons, we cannot definitively identify the vulnerable functions with high confidence.