-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unescaped template variable usage in the error.html template. The commit diff shows the critical change from msg=$exception_message to msg={$exception_message} - adding Smarty variable braces. In Thelia's templating system (Smarty), variables without {} bypass auto-escaping mechanisms. The $exception_message variable could contain user-supplied data from error contexts, and rendering it unescaped would execute embedded scripts. The patch explicitly forces escaping via {$var} syntax, confirming this was the vulnerability vector. Other template fixes in the commit follow the same pattern but weren't explicitly mentioned in the vulnerability description.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| thelia/thelia | composer | >= 2.1.0, < 2.1.2 | 2.1.2 |
A Semantic Attack on Google Gemini - Read the Latest Research