Miggo Logo
Miggo Vulnerability Database
CVE-2024-40111

CVE-2024-40111:
Automad Cross-site Scripting vulnerability

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-40111
GHSA ID
GHSA-g8h2-j9pm-4xx2
EPSS Score
0.81102%
CWE
CWE-79
Published
8/23/2024
Updated
8/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
automad/automadcomposer<= 2.0.0-alpha.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The API endpoint accepting unsanitized user input in page content (shown in PoC request), and 2) The template rendering engine failing to escape stored content. While the exact file paths are inferred from standard MVC patterns in PHP CMS architectures, the confidence remains high for the API handler due to direct evidence in the PoC, and medium for the parser component based on typical XSS vulnerability patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* p*rsist*nt (stor**) *ross-sit* s*riptin* (XSS) vuln*r**ility **s ***n i**nti*i** in *utom** *.*.*-*lp**.*. T*is vuln*r**ility *n**l*s *n *tt**k*r to inj**t m*li*ious J*v*S*ript *o** into t** t*mpl*t* *o*y. T** inj**t** *o** is stor** wit*in t** *l*

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** *PI *n*point ****ptin* uns*nitiz** us*r input in p*** *ont*nt (s*own in Po* r*qu*st), *n* *) T** t*mpl*t* r*n**rin* *n*in* **ilin* to *s**p* stor** *ont*nt. W*il* t** *x**t *il* p*t*s *r* in**rr** *