Storefront user can access history and most viewed data from matching back-office user with the same ID
Moderate severity
GitHub Reviewed
Published
Mar 25, 2024
in
oroinc/orocommerce
•
Updated Mar 25, 2024
Package
Affected versions
>= 4.1.0, <= 4.1.13
>= 4.2.0, <= 4.2.10
>= 5.0.0, <= 5.0.11
>= 5.1.0, <= 5.1.3
Patched versions
5.1.4
Description
Published by the National Vulnerability Database
Mar 25, 2024
Published to the GitHub Advisory Database
Mar 25, 2024
Reviewed
Mar 25, 2024
Last updated
Mar 25, 2024
Impact
Navigation history, most viewed and favorite navigation items are returned to storefront user in JSON navigation response if ID of storefront user matches ID of back-office user.
References