CVE-2019-7950

An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*

History

21 Nov 2024, 04:48

Type Values Removed Values Added
References () https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13 - Vendor Advisory () https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13 - Vendor Advisory

Information

Published : 2019-08-02 22:15

Updated : 2024-11-21 04:48


NVD link : CVE-2019-7950

Mitre link : CVE-2019-7950

CVE.ORG link : CVE-2019-7950


JSON object : View

Products Affected

magento

  • magento
CWE
CWE-639

Authorization Bypass Through User-Controlled Key