-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
Miggo AIRoot Cause AnalysisThe vulnerability exists in the local roles deserialization logic where user-provided role assignments were accepted without proper validation. The key patch adds an intersection with managed_roles to limit delegated roles. The call method of DeserializeFromJson is the entry point for processing @sharing endpoint requests, making it the direct handler of vulnerable input. The test cases demonstrate how unprivileged users could previously assign Manager/Reviewer roles through this endpoint.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| plone.restapi | pip | < 6.2.1 | 6.2.1 |
| Plone | pip | >= 5.2.0, < 5.2.2 | 5.2.2 |