Miggo Logo

CVE-2020-15273: Edit feed settings and others, Cross Site Scripting(XSS) Vulnerability in Latest Release 4.4.0

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.6076%
Published
11/4/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
baserproject/basercmscomposer>= 4.4.0, < 4.4.14.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information focuses on access control changes (adding 'BcApp.allowedThemeEdit' checks) rather than demonstrating specific XSS vulnerability patterns like unescaped output or improper input sanitization. The commit diff shows UI elements being conditionally rendered based on configuration settings, but does not show the actual vulnerable code handling user input in components like feed settings or widget areas. Without seeing pre-patch code demonstrating insufficient output encoding in these admin components, we cannot confidently identify specific vulnerable functions. The advisory describes the attack surface (admin-accessible components) but the technical details needed to pinpoint exact vulnerable functions are missing from provided materials.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*r*MS *.*.* *n* **rli*r is *****t** *y *ross Sit* S*riptin* (XSS). Imp**t: XSS vi* *r*itr*ry s*ript *x**ution. *tt**k v**tor is: **ministr*tor must ** lo**** in. *ompon*nts *r*: **it **** s*ttin*s, **it wi***t *r**, Su* sit* n*w r**istr*tion, N*w

Reasoning

T** provi*** in*orm*tion *o*us*s on ****ss *ontrol ***n**s (***in* '***pp.*llow**T**m***it' ****ks) r*t**r t**n **monstr*tin* sp**i*i* XSS vuln*r**ility p*tt*rns lik* un*s**p** output or improp*r input s*nitiz*tion. T** *ommit *i** s*ows UI *l*m*nts