-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pear/http_request2 | composer | < 2.7.0 | 2.7.0 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in multiple PHP scripts within the 'tests/_network/' directory. These scripts were intended for testing HTTP request functionalities but were found to reflect various parts of incoming HTTP requests (GET parameters, POST parameters, authentication details, cookies, raw POST body, and uploaded file metadata) directly into the HTTP response without proper HTML escaping. This behavior makes them vulnerable to Cross-Site Scripting (XSS) if these test scripts are accessible via a web server and an attacker can craft requests with malicious input.
The commit 07925aa77e441dba0ff0fa973a09802729cb838f addresses these vulnerabilities by consistently applying htmlspecialchars() to all data before it is echoed or otherwise outputted in these test scripts. The affected code in each script is within its global execution scope. In PHP profiling or stack traces, code executed in the global scope of a script is often referred to as {main}(). Therefore, {main}() is used as the function name, with the respective file path indicating the specific vulnerable script. The vulnerability description explicitly mentions getparameters.php and postparameters.php but also refers to "multiple files," which is consistent with the broad set of changes in the patch.