Description

An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.

Remediation

References

CVE-2019-7890

Related Vulnerabilities

Atlassian Confluence Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2019-3398)

WordPress Plugin Cart66 Lite::WordPress Ecommerce SQL Injection (1.5.1.17)

WordPress Plugin Easy Accordion-Best Accordion FAQ Cross-Site Scripting (2.0.21)

Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2011-4281)

WordPress Plugin JW Player for Flash & HTML5 Video Cross-Site Request Forgery (2.1.11)

Severity

High

Classification

CVE-2019-7890 CWE-639 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Missing Update Known Vulnerabilities