CVE-2024-29888

Name of the Vulnerable Software and Affected Versions Saleor versions prior to 3.14.61 Saleor versions prior to 3.15.37 Saleor versions prior to 3.16.34 Saleor versions prior to 3.17.32 Saleor versions prior to 3.18.28 Saleor versions prior to 3.19.15

Description The issue occurs when using Pickup: Local stock only click-and-collect as a delivery method in specific conditions, allowing the customer to overwrite the warehouse address with its own, which exposes its address as click-and-collect address.

Recommendations For versions prior to 3.14.61, upgrade to version 3.14.61 or later. For versions prior to 3.15.37, upgrade to version 3.15.37 or later. For versions prior to 3.16.34, upgrade to version 3.16.34 or later. For versions prior to 3.17.32, upgrade to version 3.17.32 or later. For versions prior to 3.18.28, upgrade to version 3.18.28 or later. For versions prior to 3.19.15, upgrade to version 3.19.15 or later. As a temporary workaround, consider turning off click-and-collect delivery method on warehouse view when Pickup option is set to Local stock only.