Miggo Logo
Miggo Vulnerability Database
CVE-2024-39324

CVE-2024-39324:
aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services

3.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-39324
GHSA ID
GHSA-jj68-cp4v-98qf
EPSS Score
0.49198%
CWE
CWE-863
Published
7/2/2024
Updated
7/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
aimeos/ai-admin-graphqlcomposer>= 2022.04.1, < 2022.10.102022.10.10
aimeos/ai-admin-graphqlcomposer>= 2023.04.1, < 2023.10.62023.10.6
aimeos/ai-admin-graphqlcomposer= 2024.04.12024.04.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stemmed from improper access control lists in resource.php where 'editor' was included in allowed groups for service operations. The patch (a839a5a) explicitly removes 'editor' from these entries. The Base.php methods like saveItem become vulnerable vectors when combined with these flawed configurations, though the root cause is the configuration itself. High confidence in resource.php entries as they directly map to the described vulnerability, medium confidence in Base.php methods as they're execution points dependent on configuration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*im*os/*i-**min-*r*p*ql is t** *im*os *r*p*QL *PI **min int*r****. St*rtin* in v*rsion ****.**.* *n* prior to v*rsions ****.**.**, ****.**.*, *n* ****.*.*, improp*r ****ss *ontrol *llows * **itors to m*n*** own s*rvi**s vi* *r*p*QL *PI w*i** isn't *l

Reasoning

T** *or* vuln*r**ility st*mm** *rom improp*r ****ss *ontrol lists in r*sour**.p*p w**r* '**itor' w*s in*lu*** in *llow** *roups *or s*rvi** op*r*tions. T** p*t** (*******) *xpli*itly r*mov*s '**itor' *rom t**s* *ntri*s. T** **s*.p*p m*t*o*s lik* s*v*