Description

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.

Remediation

References

CVE-2019-8235

Related Vulnerabilities

Apache HTTP Server Session Fixation Vulnerability (CVE-2001-1534)

Sqlite Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Vulnerability (CVE-2015-3717)

WordPress Plugin Floating Social Media Links 'wpp' Parameter Multiple Remote File Include Vulnerabilities (1.4.2)

PHP Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Vulnerability (CVE-2006-5178)

WordPress Plugin Conditional Marketing Mailer for WooCommerce Security Bypass (1.5.1)

Severity

Medium

Classification

CVE-2019-8235 CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities