Miggo Logo
Miggo Vulnerability Database
CVE-2024-39319

CVE-2024-39319: IDOR vulnerability in account profile page

5.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-39319
GHSA ID
GHSA-rw3j-574h-mrcq
EPSS Score
0.47434%
CWE
CWE-639
Published
9/26/2024
Updated
3/5/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
aimeos/ai-controller-frontendcomposer= 2024.04.12024.04.2
aimeos/ai-controller-frontendcomposer>= 2023.04.1, < 2023.10.92023.10.9
aimeos/ai-controller-frontendcomposer>= 2022.04.1, < 2022.10.82022.10.8
aimeos/ai-controller-frontendcomposer>= 2021.04.1, < 2021.10.82021.10.8
aimeos/ai-controller-frontendcomposer< 2020.10.152020.10.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks in review deletion and subscription management functions. The GitHub patches show:

  1. Review\Standard::delete() added a customerid filter to prevent deleting others' reviews
  2. Subscription\Standard::cancel() and get() were modified to include customer context checks in their queries
  3. CWE-639 directly maps to these missing ownership validations on user-controlled IDs (review.id/subscription.id). The commit diffs and advisory descriptions confirm these functions were the attack vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Ins**ur* *ir**t o*j**t r***r*n** *llowin* *n *tt**k*r to *is**l* su*s*riptions *n* r*vi*ws o* *not**r *ustom*r

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks in r*vi*w **l*tion *n* su*s*ription m*n***m*nt *un*tions. T** *it*u* p*t***s s*ow: *. R*vi*w\St*n**r*::**l*t*() ***** * *ustom*ri* *ilt*r to pr*v*nt **l*tin* ot**rs' r*vi*ws *. Su*s*ription\S