-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe patch adds HTML encoding to both locations using a new htmlEncode function. The vulnerability stemmed from: 1) The confirmation dialog's question parameter using untrusted title attribute without encoding 2) The domain admin username display directly inserting domain name value into DOM. Both locations handle user-controlled input (domain titles/names) and output HTML without proper escaping in vulnerable versions, meeting XSS conditions. The commit diff clearly shows these were the only locations modified to add encoding.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| modoboa | pip | < 2.0.4 | 2.0.4 |