#VU30890 Improper access control in Magento Open Source - CVE-2019-7864
Published: August 3, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU30890
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-7864
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Magento Open Source
Magento Open Source
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
Remediation
Install update from vendor's website.