Miggo Logo
Miggo Vulnerability Database
GHSA-2g98-f9jv-w8c5

GHSA-2g98-f9jv-w8c5: robrichards/xmlseclibs XPath injection

7.5

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-2g98-f9jv-w8c5
EPSS Score
-
CWE
CWE-91
Published
5/20/2024
Updated
5/20/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
robrichards/xmlseclibscomposer>= 1.0.0, < 3.0.23.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unfiltered user input in XPath expressions. The pre-patch code in XMLSecEnc.php directly interpolated $id (from URI substring) into an XPath query, while XMLSecurityDSig.php's processRefNode built an XPath condition using $identifier and looped $idKey without sanitization. The commit introduced XPath::filter() to sanitize these values, confirming these were injection points. The functions' direct use of external inputs (URI-derived $id and signature reference $identifier/$idKey) in query construction without prior validation matches XPath injection patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n i**nti*i** in t** ro*ri***r*s/xmls**li*s li*r*ry, sp**i*i**lly r*l*t** to XP*t* inj**tion. T** issu* *ris*s *rom in***qu*t* *ilt*rin* o* us*r input ***or* it is in*orpor*t** into XP*t* *xpr*ssions.

Reasoning

T** vuln*r**ility st*ms *rom un*ilt*r** us*r input in XP*t* *xpr*ssions. T** pr*-p*t** *o** in `XMLS***n*.p*p` *ir**tly int*rpol*t** $i* (*rom URI su*strin*) into *n XP*t* qu*ry, w*il* `XMLS**urity*Si*.p*p`'s `pro**ssR**No**` *uilt *n XP*t* *on*ition