-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from missing output encoding in two key areas: 1) In record.questions.php, the question text was directly rendered without using Strings::htmlentities. 2) In ajaxservice.php, user-controlled question input was stored without applying Strings::htmlspecialchars. The patch added escaping in both locations, confirming these were the vulnerable points. Both locations handle user-controlled data that gets persisted and rendered, making them clear XSS vectors.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| thorsten/phpmyfaq | composer | < 3.1.9 | 3.1.9 |