-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| feehi/feehicms | composer | = 2.1.1 |
Miggo AIRoot Cause AnalysisThe vulnerability is a reflected Cross-Site Scripting (XSS) issue in the 'id' parameter of the user update functionality. The analysis of the provided information and source code points to the actions method within the backend/controllers/UserController.php file as the origin of the vulnerability. This method is responsible for configuring URL routes and their corresponding logic. For the 'user/update' route, the actions method defines an 'update' action. The configuration for this action includes a 'data' closure that takes the id parameter from the URL. This id is then used to retrieve the user model to be updated. The vulnerability report indicates that this id parameter is not validated or encoded, and the proof-of-concept confirms that a malicious script can be injected through it. The UserController::actions method is the place where this unsafe handling of the id parameter is defined, making it the primary vulnerable function. The fix would involve adding input validation for the id within this controller action or ensuring context-aware output encoding in the corresponding view.
backend\controllers\UserController::actionsbackend/controllers/UserController.php