-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability in MineAdmin is a critical issue that stems from two interconnected weaknesses. First, the Mine\Command\InstallProjectCommand::initUserData function sets a hardcoded, weak default password ('admin123') for the 'superAdmin' account during the installation process. This allows an attacker to easily gain privileged access to the application's administrative interface.
Once an attacker has administrative access, they can exploit a second vulnerability in the scheduled tasks feature. The Mine\Crontab\MineCrontab::execute function, which handles the execution of scheduled tasks, has a feature to evaluate and run arbitrary PHP code. By creating a new scheduled task of type 'Eval' and providing a malicious payload in the task's target, an attacker can achieve Remote Code Execution on the server. The combination of a default administrative password and a feature that allows for code execution makes this a critical vulnerability.
Mine\Command\InstallProjectCommand::initUserDatasrc/Command/InstallProjectCommand.php
Mine\Crontab\MineCrontab::executesrc/Crontab/MineCrontab.php
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mineadmin/mineadmin | composer | <= 3.0.9 |