CVE-2026-31867

EPSS 0.07%

Craft Commerce: Potential IDOR in Commerce carts

發布日:2026/3/10修改日:2026/3/13

描述

An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII. ## Vulnerability Details ### Root Cause The `CartController` accepts a user-supplied `number` parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it. ```php // CartController.php:374-389 - actionLoadCart() public function actionLoadCart(): ?Response { $number = $this->request->getParam('number'); if ($number === null) { return $this->asFailure(Craft::t('commerce', 'A cart number must be specified.')); } // No ownership check - returns any cart to any requester $cart = Order::find()->number($number)->isCompleted(false)->one(); // Cart is loaded into attacker's session without authorization ... } ``` ```php // CartController.php:606-616 - _getCart() $orderNumber = $this->request->getBodyParam('number'); if ($orderNumber) { // Same issue - no ownership validation $cart = Order::find()->number($orderNumber)->isCompleted(false)->one(); // Returns cart to any requester who knows the number } ``` --- ## Attack Scenario ### Prerequisites - Target Craft Commerce installation with active shopping carts - Knowledge of a victim’s cart number (32-character hex string) ### Cart Number Acquisition Vectors 1. **Referrer Header Leakage**: Cart URLs shared externally expose the number 2. **Browser History**: Accessible on shared/compromised devices 3. **Proxy/WAF Logs**: Cart numbers logged in URL parameters 4. **Social Engineering**: Support tickets, screenshots containing cart URLs 5. **Brute Force**: While impractical for random targeting, feasible for targeted attacks against recently-created carts ---

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

參考連結(4)