-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| rdiffweb | pip | >= 0, < 2.4.6 | 2.4.6 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from the SettingsPage.default handler executing state-changing operations (keepdays, new_encoding, maxage) without requiring POST requests. The pre-patch code lacked HTTP method validation, allowing GET-based CSRF attacks. The fix added a 'if cherrypy.request.method == POST' guard clause, and accompanying tests verify GET requests no longer modify data. This matches classic CSRF patterns where state-changing endpoints lack anti-CSRF protections like method enforcement or token validation.