Miggo Logo
Miggo Vulnerability Database
CVE-2019-7864

CVE-2019-7864: Magento 2 Community Edition IDOR Vulnerability

5.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-7864
GHSA ID
GHSA-c33v-23rx-7qqc
EPSS Score
0.18952%
CWE
CWE-639
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1.0, < 2.1.182.1.18
magento/community-editioncomposer>= 2.2.0, < 2.2.92.2.9
magento/community-editioncomposer>= 2.3.0, < 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions IDOR in RSS feeds leading to order detail exposure. Magento's RSS order feed functionality is typically handled by the Order/Index controller. The execute() method would process the request parameters (including order ID) and fetch order data. Without proper authorization checks validating user ownership of the requested order ID, this creates an IDOR vulnerability. The CWE-639 classification confirms this is an authorization bypass through user-controlled keys (order IDs in this case). While exact patch details aren't available, historical Magento security practices show these vulnerabilities are often fixed by adding customer session validation in controller actions handling sensitive data retrieval.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ins**ur* *ir**t o*j**t r***r*n** (I*OR) vuln*r**ility *xists in t** RSS ****s o* M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to *.*.*. T*is **n l*** to un*ut*oriz** ****ss to or**r **t*ils.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions I*OR in RSS ****s l***in* to or**r **t*il *xposur*. M***nto's RSS or**r **** *un*tion*lity is typi**lly **n*l** *y t** `Or**r/In**x` *ontroll*r. T** `*x**ut*()` m*t*o* woul* pro**ss t** r*qu*st p*r*m*