Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJnY20tcnBxOS05Y2dy
Missing Authentication for Critical Function in Saleor
An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).
Permalink: https://github.com/advisories/GHSA-rgcm-rpq9-9cgrJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJnY20tcnBxOS05Y2dy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-rgcm-rpq9-9cgr, CVE-2020-7964
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7964
- https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3
- https://github.com/mirumee/saleor/releases/tag/2.9.1
- https://github.com/advisories/GHSA-rgcm-rpq9-9cgr
Blast Radius: 1.6
Affected Packages
pypi:saleor
Dependent packages: 0Dependent repositories: 2
Downloads: 20 last month
Affected Version Ranges: >= 2.0.0, < 2.9.1
Fixed in: 2.9.1
All affected versions:
All unaffected versions: 2.10.1