Main Vulnerability Database Vulnerabilities #VU30943

Improper access control in Magento Open Source - CVE-2019-7950

Published: August 3, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30943

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-7950

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Adobe

Affected software:
Magento Open Source

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.

How to mitigate CVE-2019-7950

Install update from vendor's website.

Sources

https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13

Improper access control in Magento Open Source - CVE-2019-7950

Detailed vulnerability description

How to mitigate CVE-2019-7950

Sources

Please verify you're human