Miggo Logo
Miggo Vulnerability Database
CVE-2020-15155

CVE-2020-15155: Cross Site Scripting(XSS) Vulnerability in Latest Release 4.3.6 Site basic settings

7.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-15155
GHSA ID
GHSA-4r3m-j6x5-48m3
EPSS Score
0.7421%
CWE
CWE-79
Published
8/28/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
baserproject/basercmscomposer>= 4.0.0, <= 4.3.64.3.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch indicates that the vulnerability was due to lack of proper escaping of user-controlled data when generating links. The BcBaser::link function is directly involved in this process. Although the exact file path for BcBaserHelper is not given in the patch, it is typically found in a helper file like BcBaserHelper.php.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*r*MS *.*.* *n* **rli*r is *****t** *y *ross Sit* S*riptin* (XSS) vi* *r*itr*ry s*ript *x**ution. **min ****ss is r*quir** to *xploit t*is vuln*r**ility. T** *****t** *ompon*nts is tool**r.p*p. T** issu* is *ix** in v*rsion *.*.*.

Reasoning

T** p*t** in*i**t*s t**t t** vuln*r**ility w*s *u* to l**k o* prop*r *s**pin* o* us*r-*ontroll** **t* w**n **n*r*tin* links. T** `****s*r::link` *un*tion is *ir**tly involv** in t*is pro**ss. *lt*ou** t** *x**t *il* p*t* *or `****s*r**lp*r` is not *i