CVE-2019-18608 — Cezerin Unauthorized Acces

Description

Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order (e.g., its payment status or shipping fee) by adding additional attributes to user-input during the PUT `/ajax/cart` operation for a checkout, because of `getValidDocumentForUpdate` in `api/server/services/orders/orders.js`.

How to fix CVE-2019-18608

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2019-18608 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.33.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-18608
PATCHgithub.com/cezerin/cezerin
WEBgithub.com/cl0udz/vulnerabilities/blob/master/cezerin-manipulate_order_information/README.md