-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| froxlor/froxlor | composer | < 2.0.11 | 2.0.11 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from state-changing AJAX endpoints (updateTablelisting and resetTablelisting) using Request::any() to retrieve parameters. This allowed requests via any HTTP method (including GET), bypassing CSRF protections. The patch replaced Request::any() with Request::post(), enforcing POST method usage. Since POST requests require explicit user interaction (e.g., form submission) and are typically paired with CSRF tokens in frameworks, this change mitigates CSRF by preventing trivial exploitation via GET. The absence of CSRF token checks in the original code further exacerbated the issue, making these functions high-confidence candidates.
Ongoing coverage of React2Shell