-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yetiforce/yetiforce-crm | composer | < 6.4.0 | 6.4.0 |
Miggo AIRoot Cause AnalysisThe GitHub patch shows the vulnerability was fixed by adding App\Purifier::purifyByType to sanitize the $rss->link input in Rss_Record_Model::setRssValues. This indicates the original implementation (without purification) directly used untrusted RSS feed data when setting the 'url' parameter, enabling stored XSS payloads to persist in the system. The version.php changes are unrelated to functionality, leaving this as the only substantive security-relevant code change in the patch.