Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order (e.g., its payment status or shipping fee) by adding additional attributes to user-input during the PUT /ajax/cart operation for a checkout, because of getValidDocumentForUpdate in api/server/services/orders/orders.js.
References
Link | Resource |
---|---|
https://github.com/cl0udz/vulnerabilities/blob/master/cezerin-manipulate_order_information/README.md | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-10-29T14:56:33
Updated: 2019-10-29T14:56:33
Reserved: 2019-10-29T00:00:00
Link: CVE-2019-18608
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-10-29T19:15:19.767
Modified: 2021-07-21T11:39:23.747
Link: CVE-2019-18608
JSON object: View
Redhat Information
No data.
CWE