GHSA-rgcm-rpq9-9cgr

Suggest an improvement
Source
https://github.com/advisories/GHSA-rgcm-rpq9-9cgr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-rgcm-rpq9-9cgr/GHSA-rgcm-rpq9-9cgr.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rgcm-rpq9-9cgr
Aliases
Published
2021-07-28T17:57:09Z
Modified
2023-11-01T04:53:40.863653Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Missing Authentication for Critical Function in Saleor
Details

An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).

Database specific 
{
    "nvd_published_at": "2020-01-24T20:15:00Z",
    "github_reviewed_at": "2021-07-27T15:13:34Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-306"
    ]
}
References

Affected packages

PyPI / saleor

Package

Name
saleor
View open source insights on deps.dev
Purl
pkg:pypi/saleor

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.9.1