8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38218

GHSA ID

GHSA-rpc7-gf58-v3x2

EPSS Score

0.70907%

CWE

CWE-20

Published

10/13/2023

Updated

3/4/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38218

CVE-2023-38218:
Magento Open Source allows Incorrect Authorization

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the V1/customers/me endpoint to achieve information exposure and privilege escalation.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38218

GHSA ID

GHSA-rpc7-gf58-v3x2

EPSS Score

0.70907%

CWE

CWE-20

Published

10/13/2023

Updated

3/4/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	= 2.4.7-beta1	2.4.7-beta2
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	= 2.4.4
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p3	2.4.6-p3
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p5	2.4.5-p5
magento/community-edition	composer	>= 2.4.4-p1, < 2.4.4-p6	2.4.4-p6
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on improper input validation and authorization in the V1/customers/me endpoint. The 'me' endpoint typically maps to the current user, but the issue suggests the system allows substituting or overriding this reference. The controller action (Get::execute) is the entry point for this endpoint and is responsible for input handling. If it passes unvalidated user-supplied parameters (e.g., a manipulated customer ID) to CustomerRepositoryInterface::getById, which lacks authorization checks, attackers can access arbitrary customer data. Both functions are critical to the insecure direct object reference chain described in CWE-639 and CWE-863.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-**t** (*n* **rli*r), *.*.*-p* (*n* **rli*r), *.*.*-p* (*n* **rli*r) *n* *.*.*-p* (*n* **rli*r) *r* *****t** *y *n improp*r input v*li**tion vuln*r**ility. *n *ut**nti**t** *tt**k*r **n tri***r *n ins**ur* *ir**t o*j**t r

Reasoning

T** vuln*r**ility **nt*rs on improp*r input v*li**tion *n* *ut*oriz*tion in t** `V*/*ustom*rs/m*` *n*point. T** 'm*' *n*point typi**lly m*ps to t** *urr*nt us*r, *ut t** issu* su***sts t** syst*m *llows su*stitutin* or ov*rri*in* t*is r***r*n**. T**

8.8

Basic Information

Concerned about an active attack path?

CVE-2023-38218: Magento Open Source allows Incorrect Authorization

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-38218:
Magento Open Source allows Incorrect Authorization

Vulnerability Intelligence
Miggo AI