Miggo Logo
Miggo Vulnerability Database
CVE-2022-24086

CVE-2022-24086: Magento improper input validation vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-24086
GHSA ID
GHSA-f8fv-f786-9933
EPSS Score
0.99595%
CWE
CWE-20
Published
2/17/2022
Updated
1/11/2024
KEV Status
Yes
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.3.3-p1, < 2.3.7-p32.3.7-p3
magento/community-editioncomposer>= 2.4.0, < 2.4.3-p22.4.3-p2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation during checkout, specifically allowing unvalidated/unserialized user input to be processed. Magento's cart/checkout flow heavily interacts with Quote/Address attributes and cart update controllers. Custom attributes (via CustomAttributeList) and cart update parameters (via UpdatePost) are prime vectors for unchecked user input. Historical context shows Magento vulnerabilities often involve unserialize() calls on user-controlled data (e.g., email fields). These functions are critical points where input validation was likely missing in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-p* (*n* **rli*r) *n* *.*.*-p* (*n* **rli*r) *r* *****t** *y *n improp*r input v*li**tion vuln*r**ility *urin* t** ****kout pro**ss. *xploit*tion o* t*is issu* *o*s not r*quir* us*r int*r**tion *n* *oul* r*sult in *r*itr*

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion *urin* ****kout, sp**i*i**lly *llowin* unv*li**t**/uns*ri*liz** us*r input to ** pro**ss**. M***nto's `**rt/****kout` *low ***vily int*r**ts wit* `Quot*/***r*ss` *ttri*ut*s *n* **rt up**t* *ontro