-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2, < 2.2.9 | 2.2.9 |
| magento/community-edition | composer | >= 2.3, < 2.3.2 | 2.3.2 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability centers around improper input validation in Elasticsearch configuration handling. Magento's architecture uses backend model beforeSave methods for configuration validation. The Elasticsearch configuration backend model's beforeSave method would be the logical point where input validation was missing, allowing injection of malicious parameters. This aligns with the CWE-20 (Input Validation) classification and the described attack vector involving privileged users modifying catalog search configurations.
Ongoing coverage of React2Shell