CVE-2019-8235
MEDIUMMagento 2.1.0-2.1.16, 2.2.0-2.2.7 - Authenticated Insecure Direct Object Reference
Title source: llmDescription
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
Scores
CVSS v3
6.5
EPSS
0.0188
EPSS Percentile
76.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-639
Status
published
Products (1)
magento/magento
2.1.0 - 2.1.17 (2 CPE variants)
Published
Oct 30, 2019
Tracked Since
Feb 18, 2026