-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| kallithea | pip | < 0.3 | 0.3 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper handling of the 'came_from' parameter in the login endpoint (_admin/login). CRLF injection occurs when this parameter is used to set HTTP headers without neutralizing CR/LF characters. The login function responsible for processing this parameter would be the primary candidate, as it directly uses unsanitized user input to construct HTTP response headers (like Location). This matches the CWE-93 pattern and exploit examples showing header injection via this parameter. While exact code isn't available, the admin login controller is the logical location for this handling based on web application architecture patterns.
A Semantic Attack on Google Gemini - Read the Latest Research