-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | = 2.4.7-beta1 | 2.4.7-beta2 |
| magento/community-edition | composer | = 2.4.6 | |
| magento/community-edition | composer | = 2.4.5 | |
| magento/community-edition | composer | = 2.4.4 | |
| magento/community-edition | composer | >= 2.4.6-p1, < 2.4.6-p3 | 2.4.6-p3 |
| magento/community-edition | composer | >= 2.4.5-p1, < 2.4.5-p5 | 2.4.5-p5 |
| magento/community-edition | composer | >= 2.4.4-p1, < 2.4.4-p6 | 2.4.4-p6 |
| magento/project-community-edition | composer | <= 2.0.2 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability centers on improper input validation and authorization in the V1/customers/me endpoint. The 'me' endpoint typically maps to the current user, but the issue suggests the system allows substituting or overriding this reference. The controller action (Get::execute) is the entry point for this endpoint and is responsible for input handling. If it passes unvalidated user-supplied parameters (e.g., a manipulated customer ID) to CustomerRepositoryInterface::getById, which lacks authorization checks, attackers can access arbitrary customer data. Both functions are critical to the insecure direct object reference chain described in CWE-639 and CWE-863.
Ongoing coverage of React2Shell