-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unescaped output of user-controlled data in comment handling. The patch adds Strings::htmlentities() wrapping around both getUsername() and getComment() method calls, indicating these were the direct sources of untrusted data being rendered without proper encoding. As these methods return raw user input that's displayed in admin interfaces, their unescaped usage in templates enabled stored XSS payload execution.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| thorsten/phpmyfaq | composer | < 3.1.10 | 3.1.10 |