We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Currently it is possible to:
setCustomerForOrder
[email protected]
activeOrder.customer.addresses
This is a security hole which would expose details of previous guest checkouts, opening the door to enumeration attacks.
Disallow access to the customer entity unless authenticated. Check for any other possible vectors of a similar nature.
customer
The text was updated successfully, but these errors were encountered:
This is really bad
Sorry, something went wrong.
ea51000
No branches or pull requests
Currently it is possible to:
setCustomerForOrder
with[email protected]
activeOrder.customer.addresses
to get data on any addresses used by[email protected]
in the past.This is a security hole which would expose details of previous guest checkouts, opening the door to enumeration attacks.
Mitigation
Disallow access to the
customer
entity unless authenticated. Check for any other possible vectors of a similar nature.The text was updated successfully, but these errors were encountered: