-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| thorsten/phpmyfaq | composer | < 3.2.0-beta | 3.2.0-beta |
Miggo AIRoot Cause AnalysisThe vulnerability stems from insufficient sanitization in the cleanUpContent method. The pre-patch code only removed <script> tags but didn't handle event attributes (e.g., onerror). The commit explicitly adds DOMXPath logic to strip attributes starting with 'on', and the test case demonstrates an XSS payload via <img src=foo onerror=alert(...)>, which was exploitable before the patch. This directly maps to CWE-79 (XSS via unneutralized input).