CVE-2025-52920

Name of the Vulnerable Software and Affected Versions: Innoshop versions 0.4.1 and earlier

Description: The issue allows for Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. This can be exploited by creating a customer account, allowing an attacker to disclose the personally identifiable information (PII) of other customers and delete their product reviews. Specifically, an attacker can view order details by browsing to "/en/account/orders/ ORDER ID " or manipulate the shipping address id and billing address id parameters to use other customers' address and billing information when making an order. Additionally, an attacker can delete other users' reviews by sending a DELETE request to "/en/account/reviews/ REVIEW ID".

Recommendations: For Innoshop versions 0.4.1 and earlier, as a temporary workaround, consider restricting access to the /en/account/orders/ ORDER ID endpoint and validating the shipping address id and billing address id parameters to prevent unauthorized access and manipulation. Also, restrict the ability to send DELETE requests to /en/account/reviews/ REVIEW ID to authorized users only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.