Description

It is possible to access information about other stores, obtain members registered in other stores, modify members and add members from other stores that a user has not been assigned to just by knowing the identifier that differentiates them, since the application does not validate the necessary permissions to access.

Impact

- Obtain membership information from other stores. - Add members to other stores. - Modify partners to other stores. - Unsubscribe a partner.

Recommendation

Verify that the user who is trying to access the information has the necessary permissions to do so.

Threat

User authenticated from the Internet.

Expected Remediation Time

⏱️ 30 minutes.

Requirements

Fixes