Description
An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).
References (2)
Core 2
Core References
Patch x_refsource_misc
https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3
Release Notes x_refsource_misc
https://github.com/mirumee/saleor/releases/tag/2.9.1
Scores
CVSS v3
5.3
EPSS
0.0032
EPSS Percentile
54.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-306
Status
published
Products (2)
mirumee/saleor
2.0.0 - 2.9.1
pypi/saleor
2.0.0 - 2.9.1PyPI
Published
Jan 24, 2020
Tracked Since
Feb 18, 2026