-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mantisbt/mantisbt | composer | <= 2.26.3 | 2.26.4 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from missing authorization checks in profile management scripts. The patches introduced profile_ensure_can_update() to enforce ownership/global access checks. The original code in account_prof_edit_page.php and account_prof_update.php directly fetched/modified profiles after checking only for global profiles (via profile_is_global()), but did not verify if non-global profiles belonged to the current user. This allowed unprivileged users to bypass access controls by supplying arbitrary profile IDs. The high confidence comes from the explicit addition of authorization functions in the patches and the CWE-200 classification.