CVE-2019-8235

EUVD-2019-17633
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
magentomagento
2.1.0 ≤
𝑥
< 2.1.17
magentomagento
2.1.0 ≤
𝑥
< 2.1.17
magentomagento
2.2.0 ≤
𝑥
< 2.2.8
magentomagento
2.2.0 ≤
𝑥
< 2.2.8
magentomagento
2.3.0 ≤
𝑥
< 2.3.1
magentomagento
2.3.0 ≤
𝑥
< 2.3.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update