-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| admidio/admidio | composer | < 4.1.3 | 4.1.3 |
Miggo AIRoot Cause AnalysisThe key vulnerability stems from how user-supplied data (album names, descriptions) was retrieved and output without adequate escaping. The patch adds 'database' format parameter to getValue() calls in photo_album_new.php, which correlates with changes in TablePhotos::getValue where format handling occurs. The removed global $gL10n and added format checks indicate the method previously returned raw database values without context-aware escaping. When called without the 'database' format (as in pre-patch code), the method failed to neutralize HTML-sensitive characters in these fields, enabling stored XSS payloads to execute when rendered in admin UI components.
PHPPHPOngoing coverage of React2Shell