10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-m58q-qq5h-mgqq

GHSA-m58q-qq5h-mgqq: Islandora 2.0 before 2.4.1 could allow any user to upload content into a repository

Impact

This vulnerability would allow any user, regardless of permissions, to upload content into a repository. This affects installations of Islandora core 2.0 or greater.

Patches

Upgrade immediately to the latest release of Islandora.

Workarounds

In lieu of an upgrade the following module can be leveraged that will resolve the issue until such a time an upgrade can take place.

For more information

If you have any questions or comments about this advisory:

Open an issue in Islandora
Contact community@islandora.ca.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-m58q-qq5h-mgqq

GHSA-m58q-qq5h-mgqq:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
islandora/islandora	composer	>= 2.0, < 2.4.1	2.4.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a misconfigured route in 'islandora.routing.yml' where the 'islandora.upload_children' route had '_access: "TRUE"', allowing unrestricted access. The fix replaced this with a proper access check via a custom callback. Since the vulnerability is tied to route configuration (YAML) rather than a specific function, no traditional PHP functions are directly implicated. The insecure configuration allowed unauthorized access, but no vulnerable functions (in the codebase) were identified with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-m58q-qq5h-mgqq: Islandora 2.0 before 2.4.1 could allow any user to upload content into a repository

Impact

Patches

Workarounds

For more information

GHSA-m58q-qq5h-mgqq:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

10

10

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-m58q-qq5h-mgqq: Islandora 2.0 before 2.4.1 could allow any user to upload content into a repository

Impact

Patches

Workarounds

For more information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI