Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2020-27388

CVE-2020-27388:
YOURLS Stored Cross Site Scripting (XSS)

5.4

CVSS Score

Basic Information

CVE ID
CVE-2020-27388
GHSA ID
GHSA-pwgg-r6fq-mf94
EPSS Score
-
CWE
CWE-79
Published
5/24/2022
Updated
1/10/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
yourls/yourlscomposer>= 1.5, < 1.81.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the plugin header parsing logic in yourls_get_plugin_data() which directly assigned user-controlled input (plugin metadata headers) to display values without HTML escaping. The fix in commit 04495e8 explicitly adds yourls_esc_html() sanitization to the header values, confirming this was the vulnerable code path. The function's role in processing plugin metadata makes it the clear injection point for stored XSS payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* Stor** *ross Sit* S*riptin* (XSS) vuln*r**iliti*s *xist in t** YOURLS **min P*n*l, V*rsions *.* - *.*.**. *n *ut**nti**t** us*r must mo*i*y * P*P plu*in wit* * m*li*ious p*ylo** *n* uplo** it, r*sultin* in multipl* stor** XSS issu*s.

Reasoning

T** vuln*r**ility st*mm** *rom t** plu*in *****r p*rsin* lo*i* in yourls_**t_plu*in_**t*() w*i** *ir**tly *ssi*n** us*r-*ontroll** input (plu*in m*t***t* *****rs) to *ispl*y v*lu*s wit*out *TML *s**pin*. T** *ix in *ommit ******* *xpli*itly ***s your