PT-2020-13033 · Xt · Xt:Commerce
Published
2020-04-30
·
Updated
2024-04-29
·
CVE-2020-12101
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
xt:Commerce versions 5.1 through 6.2.2
Description
The issue allows remote authenticated users to manipulate the
id field in the POST request for altering an address, enabling them to zero out other users' stored addresses.Recommendations
For versions 5.1 through 6.2.2, consider restricting access to the address-management feature until a patch is available. As a temporary workaround, avoid using the
id field in the POST request for altering an address to minimize the risk of exploitation.Exploit
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xt:Commerce