Miggo Logo
Miggo Vulnerability Database
CVE-2019-7854

CVE-2019-7854: Magento 2 Community Edition IDOR Vulnerability

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-7854
GHSA ID
GHSA-hpxv-vpfv-7jc9
EPSS Score
0.2585%
CWE
CWE-639
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1.0, < 2.1.182.1.18
magento/community-editioncomposer>= 2.2.0, < 2.2.92.2.9
magento/community-editioncomposer>= 2.3.0, < 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves unauthorized access to company credit history via IDOR. Magento's B2B CompanyCredit module is the logical location for this functionality. Controller actions handling credit history views and service methods retrieving credit details would require proper authorization checks that were likely missing. The pattern matches CWE-639 where user-controlled keys (company IDs) are used without access validation. While exact code isn't available, Magento's architecture patterns and the vulnerability nature strongly suggest these components would be involved in the insecure workflow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ins**ur* *ir**t o*j**t r***r*n** (I*OR) vuln*r**ility in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to *.*.* **n l*** to un*ut*oriz** *is*losur* o* *omp*ny *r**it *istory **t*ils.

Reasoning

T** vuln*r**ility involv*s un*ut*oriz** ****ss to *omp*ny *r**it *istory vi* I*OR. M***nto's *** *omp*ny*r**it mo*ul* is t** lo*i**l lo**tion *or t*is *un*tion*lity. *ontroll*r **tions **n*lin* *r**it *istory vi*ws *n* s*rvi** m*t*o*s r*tri*vin* *r**