Miggo Logo
Miggo Vulnerability Database
CVE-2020-25915

CVE-2020-25915: ThinkCMF Cross-site Scripting Vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-25915
GHSA ID
GHSA-4847-gqxx-v9xp
EPSS Score
0.61618%
CWE
CWE-79
Published
8/11/2023
Updated
11/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
thinkcmf/thinkcmfcomposer< 5.1.75.1.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized use of $_POST superglobal in database operations. The original code:

  1. In addPost(), used $_POST directly in insertGetId() without validation
  2. In editPost(), used $_POST directly in update() without filtering This allowed XSS payloads in user_login field to be stored and executed when rendered. The patch replaced $_POST with framework's param() method and added strict mode, indicating previous lack of input validation. The GitHub issue explicitly identifies these $_POST usages as vulnerable points for stored XSS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in `Us*r*ontroll*r.p*p` in T*ink*M* v*rsion *.*.*, *llows *tt**k*rs to *x**ut* *r*itr*ry *o** vi* *r**t** `us*r_lo*in`.

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us* o* $_POST sup*r*lo**l in **t***s* op*r*tions. T** ori*in*l *o**: *. In ***Post(), us** $_POST *ir**tly in ins*rt**tI*() wit*out v*li**tion *. In **itPost(), us** $_POST *ir**tly in up**t*() wit*out *ilt*r