-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| silverstripe/cms | composer | <= 4.5.0 | |
| silverstripe/framework | composer | >= 3.0.0, < 3.7.5 | 3.7.5 |
Miggo AIRoot Cause AnalysisThe vulnerability involves stored XSS via crafted profile data reflected in login URLs. The Security controller's LoginForm method is central to rendering login forms and likely handles parameters like BackURL. If these parameters are populated from attacker-controlled profile data without sanitization, XSS occurs. The Member class's profile management methods (e.g., getCMSFields) may also lack input sanitization, enabling payload storage. The patched version 3.7.5 likely addressed these by adding proper escaping in Security::LoginForm and validation in Member profile handling.
PHPPHPOngoing coverage of React2Shell