-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| thorsten/phpmyfaq | composer | < 3.1.9 | 3.1.9 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper handling of the $action parameter in admin/index.php. The parameter was retrieved via Filter::filterInput using FILTER_UNSAFE_RAW (which preserves raw input) but lacked subsequent HTML entity encoding. The patch introduced Strings::htmlentities($action) to sanitize the value, confirming that prior versions directly used the unescaped user input in output contexts. This missing encoding step allowed attackers to inject arbitrary scripts via the action parameter, resulting in reflected XSS.
Ongoing coverage of React2Shell