CVE-2020-13459: Image Resizer Cross-site Scripting (XSS) in the Bulk Resize action
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.43188%
CWE
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
verbb/image-resizer | composer | < 2.0.9 | 2.0.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability exists in the Bulk Resize action, which is typically handled by a controller in MVC frameworks like Craft CMS. The changelog explicitly mentions fixing XSS in this action, indicating input sanitization was missing in the controller/view layer. Craft CMS plugins commonly use controllers to handle admin actions, and XSS would occur when unsanitized user input (e.g., filenames
or parameters
) is reflected in admin panels. The lack of escaping in the Bulk Resize interface before v2.0.9 would allow stored XSS via crafted input.