Vulnerabilities > CVE-2019-1010304 - Missing Authorization vulnerability in Mirumee Saleor

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

mirumee

CWE-862

NVD

Published: 2019-07-15

Updated: 2020-08-24

Summary

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1.

Vulnerable Configurations

Part	Description	Count
Application	Mirumee Mirumee Saleor 2.0.0 Mirumee Saleor 2.1.0 Mirumee Saleor 2.2.0 Mirumee Saleor 2.3.0	4

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://github.com/mirumee/saleor/issues/3768