CVE-2019-8235
First published: Tue Oct 29 2019(Updated: )
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CentOS Libgcc | >=2.1.0<2.1.17 | |
| CentOS Libgcc | >=2.1.0<2.1.17 | |
| CentOS Libgcc | >=2.2.0<2.2.8 | |
| CentOS Libgcc | >=2.2.0<2.2.8 | |
| CentOS Libgcc | >=2.3.0<2.3.1 | |
| CentOS Libgcc | >=2.3.0<2.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2019-8235?
CVE-2019-8235 has a medium severity rating due to its potential to expose personally identifiable information.
How do I fix CVE-2019-8235?
To fix CVE-2019-8235, upgrade Magento to version 2.3.1, 2.2.8, or 2.1.17 or later.
Who is affected by CVE-2019-8235?
CVE-2019-8235 affects authenticated users of Magento versions prior to 2.3.1, 2.2.8, and 2.1.17.
What types of information can be exposed by CVE-2019-8235?
CVE-2019-8235 may allow unauthorized access to personally identifiable shipping details of other users.
Is CVE-2019-8235 a common vulnerability in Magento?
CVE-2019-8235 represents a common insecure direct object reference vulnerability found in Magento installations.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/references
- agent/severity
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0