Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-7872

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing user details.

Published

2019-08-02T22:15:15.940

Last Modified

2024-11-21T04:48:54.003

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-639

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	magento	magento	< 2.1.18	Yes
Application	magento	magento	< 2.2.9	Yes
Application	magento	magento	< 2.3.2	Yes

References

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13 Vendor Advisory ([email protected])
https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)