Description
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Scores
CVSS v3
6.5
EPSS
0.0021
EPSS Percentile
42.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-639
Status
published
Products (1)
magento/magento
2.1.0 - 2.1.17 (2 CPE variants)
Published
Oct 30, 2019
Tracked Since
Feb 18, 2026