Miggo Logo
Miggo Vulnerability Database
CVE-2022-28056

CVE-2022-28056: Incorrect Permission Assignment for Critical Resource in ShopXO

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-28056
GHSA ID
GHSA-jfph-3hpg-2f65
EPSS Score
0.60607%
CWE
CWE-732
Published
5/3/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopxo/shopxocomposer< 2.2.62.2.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly references the Add function in app/install/controller/Index.php as the entry point for re-installation attacks. In secure implementations, installation endpoints should be disabled after initial setup. The presence of this accessible function with insufficient access controls allows attackers to trigger a reinstall, aligning with CWE-732 (incorrect permissions on critical resources). The direct match between the advisory's technical description and the function's role in the installation process justifies high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*opXO v*.*.* *n* **low w*s *is*ov*r** to *ont*in * syst*m r*-inst*ll vuln*r**ility vi* t** *** *un*tion in *pp/inst*ll/*ontroll*r/In**x.p*p.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly r***r*n**s t** `***` *un*tion in `*pp/inst*ll/*ontroll*r/In**x.p*p` *s t** *ntry point *or r*-inst*ll*tion *tt**ks. In s**ur* impl*m*nt*tions, inst*ll*tion *n*points s*oul* ** *is**l** **t*r initi*l s*tup. T**