-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe critical vulnerability existed in the save flow where authorization checks were performed only after applying user-controlled POST parameters to the element. This allowed attackers to manipulate element properties during the request to bypass initial permission checks. The patch explicitly adds a pre-parameter check and maintains the post-parameter check, confirming the vulnerability resided in the missing pre-application authorization validation in the actionSave method.
Ongoing coverage of React2Shell
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| craftcms/cms | composer | >= 4.0.0-RC1, <= 4.5.10 | 4.5.11 |
| craftcms/cms | composer | >= 3.0.0, <= 3.9.5 | 3.9.6 |
PHPPHP