CVE-2024-44314
MEDIUM6.5EPSS 0.10%TastyIgniter Has an Incorrect Access Control Vulnerability
發布日:2025/3/18修改日:2025/3/21
描述
TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the index_onUpdateStatus() function within Orders.php, which fails to verify if the user has permission to modify an order's status. This flaw can be exploited remotely, leading to unauthorized order manipulation.
受影響套件(1)
- Packagist/tastyigniter/tastyigniterfrom 0, < 4.0.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
參考連結(4)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-44314
- PATCHhttps://github.com/tastyigniter/TastyIgniter
- WEBhttps://github.com/tastyigniter/TastyIgniter/blob/3.x/app/admin/controllers/Orders.php
- WEBhttps://medium.com/@cnetsec/cve-2024-44314-incorrect-access-control-in-function-updateorder-fc5f2b1b0467