-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.2.0, < 2.2.10 | 2.2.10 |
| magento/community-edition | composer | >= 2.3.0, < 2.3.2-p1 | 2.3.2-p1 |
Miggo AIRoot Cause AnalysisThe vulnerability involves bypassing email confirmation via a crafted GET request using data from the registration POST response. The Confirm controller's execute method is responsible for handling email confirmation logic. Insufficient validation of parameters (like tokens or user IDs) in this method would allow unauthenticated attackers to confirm accounts without proper email verification. The CWE-345 (Insufficient Verification of Data Authenticity) aligns with this flaw, as the confirmation endpoint likely accepted untrusted data from GET parameters without ensuring it was legitimately generated by the system.
Ongoing coverage of React2Shell