-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| laravel/framework | composer | >= 7.0.0, < 7.1.2 | 7.1.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from unescaped attribute values in Blade component tags. The patch in PR #31945 specifically modified the attributesToString method to add escaping logic for bound attributes. The commit messages ('escape bound attributes that are strings') and code changes in ComponentTagCompiler.php demonstrate that previously, user-controlled attribute values were not being HTML-encoded when compiled into component tags. This lack of escaping directly enabled XSS when attackers could control attribute values that were rendered without proper sanitization.
PHPPHPOngoing coverage of React2Shell