-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2, < 2.2.9 | 2.2.9 |
| magento/community-edition | composer | >= 2.3, < 2.3.2 | 2.3.2 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from improper validation of user-controlled filenames during sitemap creation. The Save controller action accepts filename input and the Sitemap model's generateXml method processes it. Pre-patch versions lacked extension filtering, allowing .php files to be written to the filesystem. When accessed, these files execute arbitrary code. The functions directly handling filename input and file generation are the root cause of the code injection.
Ongoing coverage of React2Shell