-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1.0, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2.0, < 2.2.9 | 2.2.9 |
| magento/community-edition | composer | >= 2.3.0, < 2.3.2 | 2.3.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from insufficient ACL enforcement in configuration modification endpoints. Magento admin controllers use _isAllowed() for authorization checks. The system configuration save controller (Save.php) is the primary target for environment changes. Historical patterns show similar CVEs were resolved by adding proper ACL checks in these methods. The patch versions explicitly mention 'insufficient access controls' fixes, strongly implying missing permission validation in these critical configuration write operations.
Ongoing coverage of React2Shell