-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| indico | pip | >= 3.2.9, < 3.3.3 | 3.3.3 |
Miggo AIRoot Cause AnalysisThe vulnerability centers on the /api/principals endpoint, which processes POST requests containing user-controlled identifiers (e.g., 'User:2301'). The provided exploit example and developer comments confirm this endpoint returns user data without enforcing object-level authorization. The function responsible for processing these requests (likely named _process in a Principals request handler) fails to validate whether the requester has permission to access the specified user IDs. This matches CWE-639 (user-controlled key) and CWE-862 (missing authorization). The developer's dispute acknowledges the endpoint's existence but argues it's intentional, further confirming the function's behavior.