N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-qcqv-38jg-2r43

GHSA-qcqv-38jg-2r43: Pageflow vulnerable to insecure direct object reference in membership update endpoint

Impact

Pageflow has a membership edit feature which allows users to edit the roles of user memberships associated with an account that they have the manager role to (including their own). While the Entity dropdown select field is greyed out in the UI, an attacker can use tools which allow sending arbitrary HTTP request to craft a request to the /admin/users/{user_id}/memberships/{membership_id} endpoint containing an additional membership[entity_id] parameter. This parameter is honored when the membership is updated, allowing an attacker to update the membership object associated with their own account (with manager role) to be associated with a different attacker-chosen account instead. Since account_ids are enumerable, an attacker can compromise all accounts present on the platform.

Mitigation

Upgrade to version 15.7.1 or 14.5.2 of the pageflow gem.

For more information

If you have any questions or comments about this advisory email us at info(at)codevise.de

Credits

Positive Security

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-qcqv-38jg-2r43

GHSA-qcqv-38jg-2r43:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pageflow	rubygems	< 14.5.2	14.5.2
pageflow	rubygems	>= 15.0.0, < 15.7.1	15.7.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the membership update endpoint honoring the 'membership[entity_id]' parameter without validation. In Rails applications, controller actions handling parameters typically use strong parameters. The described attack requires the controller to permit and process entity_id from requests, which should have been excluded from mass assignment. The linked PR #1862 mentions security fixes for membership updates, suggesting the controller's parameter handling was improperly allowing entity_id modification. The endpoint path (/admin/users/{user_id}/memberships/{membership_id}) maps to a standard Rails update action pattern, making Admin::MembershipsController#update the most likely vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-qcqv-38jg-2r43: Pageflow vulnerable to insecure direct object reference in membership update endpoint

Impact

Mitigation

For more information

Credits

GHSA-qcqv-38jg-2r43:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

GHSA-qcqv-38jg-2r43: Pageflow vulnerable to insecure direct object reference in membership update endpoint

Impact

Mitigation

For more information

Credits

N/A

N/A

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI