Authorization bypass through user-controlled key in Aimeos shop and e-commerce framework - #VU93484
Published: June 28, 2024
Aimeos shop and e-commerce framework
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected extension does not verify if a specified digital product identifier is authorized for download. A remote user can download digital products without completing payment, leading to an Insecure Direct Object Reference (IDOR) issue.