-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from missing session validation when handling quiz progression. The GitHub patch introduced session-key checks in templates (Show.html/ShowAjax.html) and controller logic. The vulnerable versions lacked these checks, allowing attackers to submit arbitrary participant IDs. The QuizController actions handling form submissions (showAjaxAction) and initial rendering (showAction) would process requests without verifying if the session belonged to the current user, enabling session hijacking.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| fixpunkt/fp-masterquiz | composer | >= 3.0.0, < 3.5.2 | 3.5.2 |
| fixpunkt/fp-masterquiz | composer | < 2.2.1 | 2.2.1 |
PHPPHPOngoing coverage of React2Shell