-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2, < 2.2.9 | 2.2.9 |
| magento/community-edition | composer | >= 2.3, < 2.3.2 | 2.3.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper validation of user-controlled configuration values that govern file upload restrictions. Key functions identified are those responsible for 1) retrieving allowed extensions from config (ImageUploader::getAllowedExtensions), and 2) enforcing these restrictions during upload (Uploader::_setUploadFile). These functions become vulnerable when configuration values are manipulated to empty, as they lack fallback mechanisms to enforce minimum security constraints. The assessment aligns with Magento's architecture where configuration-driven upload filters are common, and matches the CWE-434 pattern of unrestricted uploads via missing validation.