Miggo Logo

CVE-2022-0743: Cross site scripting in getgrav/grav

4.6

CVSS Score
3.1

Basic Information

EPSS Score
0.42002%
Published
3/2/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
getgrav/gravcomposer< 1.7.311.7.31

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stemmed from improper entity sanitization in Security::detectXss. The commit diff shows the regex pattern was modified from checking for '&#0+[0-9]+' to '&#[0-9]+', indicating the original implementation missed entities without leading zeros. This function is explicitly responsible for XSS detection, and the patch directly addresses the sanitization gap. No other functions were modified in the security-related commit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Us*r input is not prop*rly s*nitiz** l***in* to *ross sit* s*rptin* (xss) in *r*v.

Reasoning

T** k*y vuln*r**ility st*mm** *rom improp*r *ntity s*nitiz*tion in S**urity::**t**tXss. T** *ommit *i** s*ows t** r***x p*tt*rn w*s mo*i*i** *rom ****kin* *or '&#*+[*-*]+' to '&#[*-*]+', in*i**tin* t** ori*in*l impl*m*nt*tion miss** *ntiti*s wit*out