-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unsanitized use of the 'select-file' parameter in client-side JavaScript. The exploit URL structure (/admin/view:modules/load_module:files#select-file=...) indicates client-side fragment processing. DOM-based XSS occurs when this parameter is injected into the page without neutralization, as demonstrated by Fluid Attacks' payload using onload attributes. While exact function names/paths aren't explicitly disclosed, the pattern matches standard client-side parameter handling in module controllers, and the exploit mechanics strongly imply a function directly processing this parameter in the Files module's frontend logic.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| microweber/microweber | composer | <= 1.3.1 |