Description

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.

Remediation

References

CVE-2019-8235

Related Vulnerabilities

WordPress Plugin Business Hours Pro Arbitrary File Upload (5.5.0)

WordPress Plugin Quiz Tool Lite Multiple Cross-Site Scripting Vulnerabilities (2.3.15)

Ruby on Rails URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2021-22903)

WordPress Plugin Google Sitemap by BestWebSoft Cross-Site Scripting (3.0.7)

PHP Numeric Errors Vulnerability (CVE-2009-5016)

Severity

Medium

Classification

CVE-2019-8235 CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities