CVE-2020-7964 – saleor

Package

Manager: pip
Name: saleor
Vulnerable Version: >=2.0.0 <2.9.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00315 pctl0.54018

Details

Missing Authentication for Critical Function in Saleor An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).

Metadata

Created: 2021-07-28T17:57:09Z
Modified: 2021-07-27T15:13:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-rgcm-rpq9-9cgr/GHSA-rgcm-rpq9-9cgr.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-rgcm-rpq9-9cgr
Finding: F006
Auto approve: 1