-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mautic/core | composer | >= 1.0.0-beta3, < 4.4.13 | 4.4.13 |
| mautic/core | composer | >= 5.0.0-alpha, < 5.1.1 | 5.1.1 |
| mautic/core-lib | composer | >= 1.0.0-beta3, < 4.4.13 | 4.4.13 |
| mautic/core-lib | composer | >= 5.0.0-alpha, < 5.1.1 | 5.1.1 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from upgrade.php being accessible in the web root without authentication. This file contained critical upgrade functions that: 1) Perform file system operations (move_mautic_* functions) 2) Modify system components 3) Clear application cache. The commit fixes this by removing upgrade.php from web-accessible locations and moving it to protected scaffolding directories. The CWE-306 mapping confirms these functions lacked required authentication for critical upgrade operations. The patch's removal of web-root access to upgrade.php and modification of build scripts to use protected paths directly addresses the authentication bypass vulnerability in these functions.