216.73.217.173

CVE-2025-52920

· Published 23/06/2025 12:15 · Modified 23/06/2025 20:16

Labels: CVE-2025-52920 2025-06-23CVE-2025-52920CWE-425[email protected]

Essential information

Published
23/06/2025 12:15
Modified
23/06/2025 20:16
Author
Creator
CVSS
6.4 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS metrics

Description

Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
innoshop / innoshop cpe:2.3:a:innoshop:innoshop:0.4.1:*:*:*:*:*:*:*

References