-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe commit diff shows critical changes to the testSqlAndScriptInject function's XSS detection logic. Before patching, it used $val (raw input) to check for event handlers like on(mouse|drag|...), which could be bypassed by embedding malicious attributes within HTML tags. The vulnerability stemmed from not validating the sanitized input ($tmpval) in all regex checks, allowing attackers to hide XSS payloads behind HTML elements. The patch explicitly switches these checks to use $tmpval, confirming this was the root cause.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| dolibarr/dolibarr | composer | < 18.0.0 | 18.0.0 |
A Semantic Attack on Google Gemini - Read the Latest Research