-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from insufficient output encoding in tag rendering. The pre-patch code used Strings::htmlspecialchars($taggingName, ENT_QUOTES) which doesn't encode single quotes in HTML5 contexts, and crucially assigned raw $taggingName to oLink->itemTitle/text. Attackers could craft malicious tag names containing XSS payloads that would execute when these link properties were rendered. The fix replaced htmlspecialchars with htmlentities (broader encoding) and consistently used the sanitized $title variable in all output contexts, confirming the vulnerability existed in this function's handling of tag data.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| thorsten/phpmyfaq | composer | < 3.1.13 | 3.1.13 |