CVE-2019-8235

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
magentomagento
2.1.0 ≤
𝑥
< 2.1.17
magentomagento
2.1.0 ≤
𝑥
< 2.1.17
magentomagento
2.2.0 ≤
𝑥
< 2.2.8
magentomagento
2.2.0 ≤
𝑥
< 2.2.8
magentomagento
2.3.0 ≤
𝑥
< 2.3.1
magentomagento
2.3.0 ≤
𝑥
< 2.3.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update