Main Vulnerability Database Vulnerabilities #VU30890

Improper access control in Magento Open Source - CVE-2019-7864

Published: August 3, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30890

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-7864

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Adobe

Affected software:
Magento Open Source

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.

How to mitigate CVE-2019-7864

Install update from vendor's website.

Sources

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33

Improper access control in Magento Open Source - CVE-2019-7864

Detailed vulnerability description

How to mitigate CVE-2019-7864

Sources

Please verify you're human