-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pimcore/pimcore | composer | < 10.5.20 | 10.5.20 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability arises from improper neutralization of the 'index_key' input in composite indices. The PHP saveAction method processed user-supplied 'index_key' values without sanitization (via preg_replace), enabling stored XSS when rendered. The JavaScript client-side code (class.js) lacked validation for the same field, allowing XSS payloads to bypass client checks. The patch introduced both server-side sanitization and client-side validation, confirming these were the vulnerable points. Both layers were critical: the server-side flaw allowed persistent XSS, while the missing client-side validation facilitated easier exploitation.
Ongoing coverage of React2Shell