-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| contao/contao | composer | >= 3.0.0, < 3.5.37 | 3.5.37 |
| contao/contao | composer | >= 4.6.0, < 4.6.11 | 4.6.11 |
| contao/contao | composer | >= 4.4.0, < 4.4.31 | 4.4.31 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from missing access control checks in Data Container (DCA) permission validation functions. The commit diff shows critical additions of ID-in-root-array checks for 'select' and 'paste' actions across multiple DCA files (tl_calendar_events, tl_news, etc.), which directly correlate with the described vulnerability vectors. The DC_Table.php changes fix root node handling that previously allowed unauthorized parent view access. The tl_page.php modifications address the pagemounts issue where empty user mounts led to unrestricted access. These functions were clearly modified to add missing access controls in the patch, confirming their vulnerability.