-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.2, < 2.2.10 | 2.2.10 |
| magento/community-edition | composer | >= 2.3, < 2.3.2-p1 | 2.3.2-p1 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from inadequate validation in file upload/delete controllers for downloadable products. The Upload and Delete controller actions handle user-supplied file paths without proper sanitization or path traversal checks. This allows authenticated attackers to manipulate 'file' parameters to access paths outside the intended directory (e.g., ../../etc/passwd). The CWE-434 classification confirms the unrestricted file upload pattern, and the Magento security bulletin explicitly references these controllers as patched components.