Resource Injection

Affecting magento/community-edition package, versions >=2.1.0, <2.1.18 || >=2.2.0, <2.2.9 || >=2.3.0, <2.3.2

Do your applications use this vulnerable package? Test your applications

Overview

magento/community-edition is a modern cloud eCommerce platform.

Affected versions of this package are vulnerable to Resource Injection in the order processing workflow. This can lead to unauthorized access to order details.

Remediation

Upgrade magento/community-edition to version 2.1.18, 2.2.9, 2.3.2 or higher.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Credit
Unknown
CVE
CVE-2019-7890
CWE
CWE-99
Snyk ID
SNYK-PHP-MAGENTOCOMMUNITYEDITION-459029
Disclosed
02 Aug, 2019
Published
12 Aug, 2019