-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pimcore/pimcore | composer | < 6.2.2 | 6.2.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from the password reset handler providing different error messages for non-existent users vs. existing users with account issues. The lostpasswordAction method in LoginController.php contained explicit checks that set distinct error states ('user unknown', 'user inactive', etc.). Attackers could observe these differences in responses to enumerate valid accounts. The patch unified error handling and removed user existence disclosure, confirming this function's central role in the vulnerability.