-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| rdiffweb | pip | < 2.5.0a7 | 2.5.0a7 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from missing email notifications when MFA was enabled/disabled. The commit c27c46b added notification logic in NotificationPlugin.user_attr_changed to handle 'mfa' attribute changes and updated the UserObject model to propagate these changes. Pre-patch, the user_attr_changed method only handled email changes, leaving MFA modifications unmonitored. The UserObject's MFA setter (via SQLAlchemy events) didn't enforce notification workflows, allowing silent state changes. These two components together created the business logic flaw where critical security changes went unreported.
PythonPythonOngoing coverage of React2Shell