Vulnerabilities > CVE-2019-18608 - Unspecified vulnerability in Cezerin 0.33.0

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

cezerin

NVD

Published: 2019-10-29

Updated: 2024-11-21

Summary

Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order (e.g., its payment status or shipping fee) by adding additional attributes to user-input during the PUT /ajax/cart operation for a checkout, because of getValidDocumentForUpdate in api/server/services/orders/orders.js.

Vulnerable Configurations

Part	Description	Count
Application	Cezerin Cezerin Cezerin 0.33.0	1

References

https://github.com/cl0udz/vulnerabilities/blob/master/cezerin-manipulate_order_information/README.md
https://github.com/cl0udz/vulnerabilities/blob/master/cezerin-manipulate_order_information/README.md