Impact
The vulnerability allows an attacker to inject arbitrary HTML or JavaScript into the title or description of an HTML error page generated by the Slim framework. When an application uses HttpException::setTitle() or setDescription() with untrusted or request‑derived data, the framework fails to escape that content. The injected code then executes in the victim’s browser when the error page is rendered, providing client‑side code execution and the potential to hijack sessions or deface content. This impact is confined to applications that intentionally supply untrusted data to these methods; vanilla Slim deployments that rely on the default plain‑text error messages remain secure.
Affected Systems
The flaw exists in Slim PHP framework versions 4.4.0 through 4.15. Only applications that customize the error title or description with untrusted data are affected. The issue was mitigated in release 4.15.2, which introduced proper escaping. Upgrading to 4.15.2 or later, or suspending the use of untrusted data in these methods, eliminates the risk.
Risk and Exploitability
The CVSS score of 6.1 marks the vulnerability as medium severity, while the EPSS score of < 1% indicates a low probability of real‑world exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker must deliver a crafted request that triggers the error page to achieve the reflected XSS; this exploitation requires only the web application context and does not grant additional system privileges.
OpenCVE Enrichment
Github GHSA