CVE-2019-18608

Name of the Vulnerable Software and Affected Versions Cezerin version 0.33.0

Description The issue allows unauthorized modification of order information because internal attributes can be overwritten via conflicting names when processing order requests. A malicious customer can manipulate an order, such as its payment status or shipping fee, by adding additional attributes to user-input during the PUT "/ajax/cart" operation for a checkout. This is due to the getValidDocumentForUpdate function in api/server/services/orders/orders.js.

Recommendations For Cezerin version 0.33.0, as a temporary workaround, consider restricting access to the getValidDocumentForUpdate function in api/server/services/orders/orders.js until a patch is available. Avoid using the PUT "/ajax/cart" operation for checkout without proper validation of user-input attributes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.