-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 8.0, < 8.1.10 | 8.1.10 |
| drupal/drupal | composer | >= 8.0, < 8.1.10 | 8.1.10 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper access control on the system.temporary route. In Drupal's architecture, route handlers (controller methods) are responsible for executing business logic when a route is accessed. The SystemController::temporary method was mapped to this route but did not enforce the 'administer configuration management' permission check. This allowed any authenticated user to access the config export functionality through this endpoint. The fix would involve adding proper permission checks either in the route definition (system.routing.yml) or directly in the controller method, but the core vulnerability manifests in the controller's execution path.
KEV Misses 88% of Exploited CVEs- Get the report