-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
Miggo AIRoot Cause AnalysisThe GitHub patch explicitly adds an AccessDeniedHttpException check comparing the notification's recipient ID with the provided recipientId parameter. The pre-patch version only checked if the recipientId matched when provided, but didn't enforce ownership validation. This missing authorization check in findAndMarkAsRead() created the access control vulnerability. The CWE-838 classification appears inaccurate; this is fundamentally an authorization bypass (CWE-862/CWE-284), but the function identification is unambiguous from the patch context.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pimcore/pimcore | composer | < 6.2.2 | 6.2.2 |