Miggo Logo

CVE-2019-9553: Bolt Cross-site Scripting via the slug, teaser or title parameters

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.75985%
Published
5/24/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
bolt/boltcomposer= 3.6.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information indicates XSS in Bolt 3.6.4 via slug, teaser, and title parameters in the editcontent/pages endpoint, but no specific code snippets, commit diffs, or implementation details are available to identify exact vulnerable functions. While the exploit demonstrates parameter injection via POST requests, the advisory lacks sufficient technical details about input handling mechanisms, template rendering functions, or validation routines to confidently map to specific PHP functions/classes. Without access to the unpatched source code or patch comparisons, we cannot definitively identify the vulnerable functions with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*olt *.*.* **s XSS vi* t** slu*, t**s*r, or titl* p*r*m*t*r to `**it*ont*nt/p***s`, * r*l*t** issu* to *V*-****-***** *n* *V*-****-*****.

Reasoning

T** provi*** vuln*r**ility in*orm*tion in*i**t*s XSS in *olt *.*.* vi* slu*, t**s*r, *n* titl* p*r*m*t*rs in t** **it*ont*nt/p***s *n*point, *ut no sp**i*i* *o** snipp*ts, *ommit *i**s, or impl*m*nt*tion **t*ils *r* *v*il**l* to i**nti*y *x**t vuln*r