Description

An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.

Remediation

References

CVE-2019-7950

Related Vulnerabilities

WordPress Plugin Manage Calameo Publications by Athlon Cross-Site Scripting (1.1.0)

Oracle Database Server CVE-2011-0835 Vulnerability (CVE-2011-0835)

WordPress Plugin Redux Framework Cross-Site Request Forgery (4.1.20)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-6610)

Oracle Database Server CVE-2013-3760 Vulnerability (CVE-2013-3760)

Severity

High

Classification

CVE-2019-7950 CWE-639 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities