-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| dolibarr/dolibarr | composer | < 18.0.2 | 18.0.2 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from incomplete PHP code stripping in user input. The commit diff shows dolKeepOnlyPhpCode() was modified to address short_open_tag handling. The original implementation only replaced <?= and split on <?php, but didn't account for <? short tags. This allowed attackers to inject PHP code via <? ... ?> syntax. The added test cases in WebsiteTest.php explicitly validate this fix by testing <? and nested <?php tags, confirming the function's role in input validation. The CVE description and PoC both demonstrate exploitation via short_open_tag bypass, directly implicating this function.
KEV Misses 88% of Exploited CVEs- Get the report