Miggo Logo
Miggo Vulnerability Database
CVE-2023-4157

CVE-2023-4157: omeka/omeka-s Improper Input Validation vulnerability

5.2

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-4157
GHSA ID
GHSA-fxc5-pr68-2px3
EPSS Score
0.20011%
CWE
CWE-20
Published
8/4/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
omeka/omeka-scomposer< 4.0.34.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped output of user-controlled data (installation title) in template files. The patches explicitly add escaping functions ($escape, escapeHtml) to three locations where the title was displayed. The original code used $this->setting('installation_title') and $title without sanitization, violating CWE-20 and CWE-74. These functions directly handle user-controlled input and were missing output encoding, making them the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r Input V*li**tion in *it*u* r*pository om*k*/om*k*-s prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* us*r-*ontroll** **t* (inst*ll*tion titl*) in t*mpl*t* *il*s. T** p*t***s *xpli*itly *** *s**pin* *un*tions (`$*s**p*`, `*s**p**tml`) to t*r** lo**tions w**r* t** titl* w*s *ispl*y**. T** ori*in*l *o**