Miggo Logo
Miggo Vulnerability Database
CVE-2022-30852

CVE-2022-30852: Known v1.3.1 contains Insecure Direct Object Reference

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-30852
GHSA ID
GHSA-4v4p-87m3-5423
EPSS Score
0.362%
CWE
CWE-639
Published
7/9/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
idno/knowncomposer<= 1.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper authorization checks in the Homepage admin controller. While other admin pages use adminGatekeeper() to verify admin privileges, these functions use createGatekeeper() which only requires basic authentication. This matches the CWE-639 pattern where user-controlled access (basic login status) bypasses proper authorization checks (admin verification), enabling IDOR. The researcher's blog explicitly identifies these functions and the gatekeeper mismatch as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Known v*.*.* w*s *is*ov*r** to *ont*in *n Ins**ur* *ir**t O*j**t R***r*n** (I*OR). T** r*s**r***r r*port in*i**t*s t**t v*rsions *.*.* *n* prior *r* vuln*r**l*. V*rsion *.*.* is t** l*st v*rsion t***** on *it*u* *n* in P**k**ist, *n* **v*lopm*nt r*l

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ut*oriz*tion ****ks in t** *om*p*** **min *ontroll*r. W*il* ot**r **min p***s us* `**min**t*k**p*r()` to v*ri*y **min privil***s, t**s* *un*tions us* `*r**t***t*k**p*r()` w*i** only r*quir*s **si* *ut**nti**tion