-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.2.0, < 2.2.10 | 2.2.10 |
| magento/community-edition | composer | >= 2.3.0, < 2.3.2-p2 | 2.3.2-p2 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper input sanitization when handling customer attribute creation/editing. The Save controller action (Magento\Customer\Controller\Adminhtml\Attribute\Save) is the entry point for processing user-submitted attribute data, while the EAV backend validation (Magento\Eav\Model\Entity\Attribute\Backend\AbstractBackend) is responsible for sanitizing attribute values. Both components failed to properly escape user-controlled input (like customer attribute option labels), allowing stored XSS. The FriendsOfPHP advisory explicitly references PRODSECBUG-2401 related to customer attribute option values, and Magento's security notes confirm the attack vector involves authenticated users manipulating store attributes.