CVE-2025-52920

MEDIUM

Innoshop <0.4.1 - Info Disclosure

Title source: llm

Description

Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.

References (2)

[Various Sources] https://github.com/innocommerce/innoshop

[Various Sources] https://medium.com/@The_Hiker/how-i-found-multiple-cves-in-innoshop-0-4-1-12c8f84ad87f

Scores

CVSS v3 6.4

EPSS 0.0016

EPSS Percentile 36.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-425

Status published

Products (1)

InnoShop/InnoShop < 0.4.1

Published Jun 23, 2025

Tracked Since Feb 18, 2026