Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.

Affected Packages

Packagist craftcms/cms

Affected versions: 0 (fixed in 2.6.2976)

Related CVEs

CVE-2017-8384

Key Information

GHSA ID

GHSA-9mcw-mwxv-grwj

Published

May 17, 2022 2:46 AM

Last Modified

October 31, 2023 7:55 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

craftcms/cms

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 31, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.