Miggo Logo
Miggo Vulnerability Database
CVE-2019-16403

CVE-2019-16403:
Authorization Bypass Through User-Controlled Key in Bagisto

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-16403
GHSA ID
GHSA-pwrf-q7h8-jjr7
EPSS Score
0.52844%
CWE
CWE-639
Published
11/8/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
bagisto/bagistocomposer< 0.1.50.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks on user-controlled resource IDs in customer-facing endpoints. Based on the issue report's reproduction steps and affected routes (/addresses/edit, /reviews/delete, /orders/view), the corresponding controller methods likely directly use user-provided IDs (item_value) to perform operations without verifying resource ownership. This matches the CWE-639 pattern where user-controlled keys enable authorization bypass. Confidence is high due to the specific endpoint-to-controller mapping in Laravel applications and the vulnerability's reproducibility through ID manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In W**kul ***isto ***or* *.*.*, t** *un*tion*liti*s *or *ustom*rs to ***n** t**ir own v*lu*s (su** *s ***r*ss, r*vi*w, or**rs, *t*.) **n *lso ** m*nipul*t** *y ot**r *ustom*rs.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks on us*r-*ontroll** r*sour** I*s in *ustom*r-***in* *n*points. **s** on t** issu* r*port's r*pro*u*tion st*ps *n* *****t** rout*s (/***r*ss*s/**it, /r*vi*ws/**l*t*, /or**rs/vi*w), t** *orr*spon