-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/umami_analytics | composer | < 1.0.1 | 1.0.1 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability lies in the Umami Analytics module's permission configuration, which fails to properly flag the 'administer umami analytics' permission as a security risk. This allows a site administrator to grant this permission to a user who can then inject a malicious JavaScript file, leading to a stored Cross-Site Scripting (XSS) vulnerability. The patch addresses this by adding 'restrict access: true' to the permission definition in 'umami_analytics.permissions.yml', which warns administrators about the risk. Although no code was changed in the patch, the functions 'Drupal\umami_analytics\Form\SettingsForm::submitForm' and 'umami_analytics_page_attachments' are the key components of the vulnerable workflow. 'SettingsForm::submitForm' is used to save the malicious script URL, and 'umami_analytics_page_attachments' is used to inject it into the website's pages. Therefore, these functions would appear in a runtime profile during the exploitation of this vulnerability.
Drupal\umami_analytics\Form\SettingsForm::submitFormsrc/Form/SettingsForm.php
umami_analytics_page_attachmentsumami_analytics.module
Ongoing coverage of React2Shell