CVE-2020-7964

MEDIUM5.3EPSS 0.32%

Missing Authentication for Critical Function in Saleor

Published: 7/28/2021Modified: 11/8/2023

Description

An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).

Affected packages (1)

PyPI/saleor>= 2.0.0, < 2.9.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-7964
WEBhttps://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3
WEBhttps://github.com/mirumee/saleor/releases/tag/2.9.1