Description
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing user details.
Remediation
References
Related Vulnerabilities
YetiForce CRM Improper Input Validation Vulnerability (CVE-2021-4111)
Apache Traffic Server Improper Input Validation Vulnerability (CVE-2021-37149)
WordPress Plugin Gmail SMTP Arbitrary File Disclosure (1.1.0)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-5062)
WordPress Plugin Forms:3rd-Party Inject Results Cross-Site Scripting (0.2)