CVE-2020-13870: Comments plugin stored Cross-site Scripting (XSS) via an asset volume name
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.43188%
CWE
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
verbb/comments | composer | < 1.5.5 | 1.5.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly involves XSS through asset volume names. The patch notes (v1.5.5) specifically mention fixing XSS in asset volume names, indicating the rendering logic lacked proper output encoding. While exact function names aren't available, the pattern suggests: 1) Data flow from volume name storage to display contexts 2) Missing HTML entity encoding in template rendering 3) Trusted treatment of volume names as safe HTML. The high confidence comes from the direct correlation between the vulnerability description and common XSS patterns in template rendering systems.