Description

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.

Remediation

References

CVE-2019-8235

Related Vulnerabilities

WordPress Plugin WP Social Feed Gallery Unspecified Vulnerability (2.1.1)

WordPress Plugin Popup Builder-Create highly converting, mobile friendly marketing popups Cross-Site Scripting (4.2.6)

ownCloud Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2013-2046)

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0165)

WordPress Plugin Download from files Arbitrary File Upload (1.48)

Severity

Medium

Classification

CVE-2019-8235 CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities