CVE-2024-29888

EPSS 0.54%
Veröffentlicht 27.03.2024 19:15:49
Zuletzt bearbeitet 08.01.2026 19:00:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Saleor vulnerable to customers addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method

Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 14

NVD 6 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Saleor ≫ Saleor Version >= 3.14.56 < 3.14.61

Saleor ≫ Saleor Version >= 3.15.31 < 3.15.37

Saleor ≫ Saleor Version >= 3.16.27 < 3.16.34

Saleor ≫ Saleor Version >= 3.17.25 < 3.17.32

Saleor ≫ Saleor Version >= 3.18.19 < 3.18.28

Saleor ≫ Saleor Version >= 3.19.5 < 3.19.15

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.54%	0.409

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
security-advisories@github.com	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761

Patch

https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c

Patch

https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b

Patch

https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26

Patch

https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4

Patch

https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95

Patch

https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182

Patch

https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640

Patch

https://github.com/saleor/saleor/pull/15694

Issue Tracking

https://github.com/saleor/saleor/pull/15697

Issue Tracking

https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-29888

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-29888

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-29888

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-29888