-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from insufficient input sanitization in testSqlAndScriptInject. The pre-patch code checked the original $val parameter for event handler patterns (like onmouseover) without first stripping HTML tags, enabling attackers to bypass XSS detection using tag-injection obfuscation (e.g., <img on<a>error=alert(1)>). The patch fixes this by applying the regex checks to $tmpval (the HTML-stripped version), demonstrating this was the vulnerable code path. The function's direct involvement in input validation and the specific pattern matching changes in the commit confirm its role in the XSS vulnerability.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| dolibarr/dolibarr | composer | < 16.0.5 | 16.0.5 |
KEV Misses 88% of Exploited CVEs- Get the report