CVE-2019-7950 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=2.1.0 <2.1.18 || >=2.2.0 <2.2.9 || >=2.3.0 <2.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00485 pctl0.64359

Details

Magento 2 Community Edition Access Control Bypass An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.

Metadata

Created: 2022-05-24T16:52:29Z
Modified: 2023-09-25T19:27:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2fhr-f6q6-c4p2/GHSA-2fhr-f6q6-c4p2.json
CWE IDs: ["CWE-639"]
Alternative ID: GHSA-2fhr-f6q6-c4p2
Finding: F039
Auto approve: 1