GHSA-hvgw-gg3p-295j: Infoleak
First published: Wed May 15 2024(Updated: )
A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/klaviyo/magento2-extension | >=1.0.0<3.0.0 | 3.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of GHSA-hvgw-gg3p-295j?
The severity of GHSA-hvgw-gg3p-295j is considered high due to the potential exposure of private customer data.
How do I fix GHSA-hvgw-gg3p-295j?
To fix GHSA-hvgw-gg3p-295j, upgrade the Klaviyo Magento 2 extension to version 3.0.0 or later.
What impact does GHSA-hvgw-gg3p-295j have on customer data?
GHSA-hvgw-gg3p-295j allows unauthorized access to private customer data linked to guest carts.
Which versions of the Klaviyo Magento 2 extension are affected by GHSA-hvgw-gg3p-295j?
Versions of the Klaviyo Magento 2 extension from 1.0.0 up to, but not including, 3.0.0 are affected by GHSA-hvgw-gg3p-295j.
Is there a known workaround for GHSA-hvgw-gg3p-295j?
Currently, the best course of action against GHSA-hvgw-gg3p-295j is to update the extension as no official workaround has been provided.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hvgw-gg3p-295j
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/type
- agent/description
- collector/github-advisory
- agent/tags
- agent/source
- package-manager/composer