CVE-2019-8235 — Authorization Bypass Through User-Controlled Key in Magento

CWE-639 — Authorization Bypass Through User-Controlled Key3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 56.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Adobe Magento

Timeline

PublishedOct 30

Latest updateMay 24

Description

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDmagento/magento2.1.0 — 2.1.17+2

▶CVEListV5adobe/magento2.1 prior to 2.1.17, 2.2 prior to 2.2.8, 2.3 prior to 2.3.1+2

🔴Vulnerability Details

GHSA

GHSA-c242-4v4p-fwr3: An insecure direct object reference (IDOR) vulnerability exists in Magento 2↗2022-05-24

▶

CVEList

CVE-2019-8235: An insecure direct object reference (IDOR) vulnerability exists in Magento 2↗2019-10-29

▶