GHSA-hvgw-gg3p-295j

Опубликовано: 15 мая 2024

Источник: github

Github: Прошло ревью

Описание

Read private customer data reclaiming carts in Klaviyo Magento

A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.

Ссылки

https://github.com/klaviyo/magento2-klaviyo/pull/107
https://gist.github.com/JeroenBoersma/f5864a45e3df63b198a57abdff366df2
https://github.com/FriendsOfPHP/security-advisories/blob/master/klaviyo/magento2-extension/2021-05-25-1.yaml

Пакеты

Наименование

klaviyo/magento2-extension

composer

Затронутые версииВерсия исправления

>= 1.0.0, < 3.0.0

3.0.0

Дефекты

CWE-200

Дефекты

CWE-200