-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe patch changes two critical aspects: 1) Uses tmp_name for mime detection instead of user-controlled filename 2) Uses parse_url to safely extract extensions. The original code's pathinfo($_file, PATHINFO_EXTENSION) was vulnerable to manipulation via crafted filenames. By combining improper extension validation with potential unsanitized display of filenames in the UI, stored XSS becomes possible when malicious files are listed in the assets manager.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cockpit-hq/cockpit | composer | <= 2.6.3 |
PHPPHPOngoing coverage of React2Shell