Miggo Logo
Miggo Vulnerability Database
CVE-2020-13868

CVE-2020-13868:
Comments plugin Cross-Site Request Forgery (CSRF)

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-13868
GHSA ID
GHSA-4r8c-pj7x-m5jx
EPSS Score
0.31446%
CWE
CWE-352
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
verbb/commentscomposer< 1.5.51.5.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing CSRF protections in state-changing actions. The changelog for 1.5.5 explicitly mentions fixing a CSRF issue in the comment trashing mechanism. Prior to this patch, the trash action (likely handled by actionTrash in CommentsController) accepted requests without proper CSRF validation. While other actions like flagging/voting were later secured via POST requests in 1.6.0, the CVE-2020-13868 fix in 1.5.5 specifically addresses the trash action, making it the primary vulnerable function with high confidence based on patch notes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** *omm*nts plu*in ***or* *.*.* *or *r**t *MS. *SR* *****ts *omm*nt int**rity.

Reasoning

T** vuln*r**ility st*ms *rom missin* *SR* prot**tions in st*t*-***n*in* **tions. T** ***n**lo* *or *.*.* *xpli*itly m*ntions *ixin* * *SR* issu* in t** *omm*nt tr*s*in* m****nism. Prior to t*is p*t**, t** tr*s* **tion (lik*ly **n*l** *y `**tionTr*s*`