CVE-2019-7854
published 2019-08-02CVE-2019-7854: An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
1.14%
62.8th percentile
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magento | community-edition | >= 2.1.0 < 2.1.18 | 2.1.18 |
| magento | community-edition | >= 2.2.0 < 2.2.9 | 2.2.9 |
| magento | community-edition | >= 2.3.0 < 2.3.2 | 2.3.2 |
| magento | magento | >= 2.1.0 < 2.1.18 | 2.1.18 |
| magento | magento | >= 2.2.0 < 2.2.9 | 2.2.9 |
| magento | magento | >= 2.3.0 < 2.3.2 | 2.3.2 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Magento 2 Community Edition IDOR Vulnerability
osv·2022-05-24
CVE-2019-7854 [HIGH] Magento 2 Community Edition IDOR Vulnerability
Magento 2 Community Edition IDOR Vulnerability
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
GHSA
Magento 2 Community Edition IDOR Vulnerability
ghsa·2022-05-24
CVE-2019-7854 [HIGH] CWE-639 Magento 2 Community Edition IDOR Vulnerability
Magento 2 Community Edition IDOR Vulnerability
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-08-02
Published