-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yetiforce/yetiforce-crm | composer | <= 6.4.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from missing output encoding in the EditField.tpl template. The patch adds escaping (via |escape and \App\Purifier::encodeHtml) to variables populated by methods like getFieldLabel(), get('maximumlength'), and getHeaderValue(). These methods return user-controllable data (e.g., field labels, parameters) that were rendered directly into HTML attributes/options without sanitization, enabling stored XSS. The functions are vulnerable in the context of their unescaped usage in the template, not inherently in their implementation.
PHPPHPOngoing coverage of React2Shell