-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability combines CSRF and RCE. Magento's backup functionality is a known vector for command injection (via filenames or command parameters). Admin controllers like Create in the Backup module require CSRF protection via form keys. The absence of this protection allows CSRF exploitation, and improper input sanitization in the backup creation flow enables command execution. The patch likely added CSRF validation and input sanitization here. While exact code isn't available, Magento's security bulletins and similar CVEs (e.g., PRODSECBUG-2475) strongly implicate this component.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.2.0, < 2.2.10 | 2.2.10 |
| magento/community-edition | composer | >= 2.3.0, < 2.3.2-p1 | 2.3.2-p1 |
KEV Misses 88% of Exploited CVEs- Get the report