Description
An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.
Remediation
References
Related Vulnerabilities
WordPress Plugin Per page add to head Cross-Site Request Forgery (1.4.3)
WordPress Plugin 3D Flick Slideshow 'upload.php' Arbitrary File Upload (2.1)
Apache Tomcat Insufficiently Protected Credentials Vulnerability (CVE-2019-12418)
WordPress Plugin Carts Guru PHP Object Injection (1.4.5)
WordPress Plugin Starfish Review Generation & Marketing for WordPress Security Bypass (2.0.0)