An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.
References
Link | Resource |
---|---|
https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13 | Vendor Advisory |
https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 04:48
Type | Values Removed | Values Added |
---|---|---|
References | () https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13 - Vendor Advisory |
Information
Published : 2019-08-02 22:15
Updated : 2024-11-21 04:48
NVD link : CVE-2019-7950
Mitre link : CVE-2019-7950
CVE.ORG link : CVE-2019-7950
JSON object : View
Products Affected
magento
- magento
CWE
CWE-639
Authorization Bypass Through User-Controlled Key