CVE-2025-52920

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-52920
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52920.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-52920
Published
2025-06-23T12:15:22.803Z
Modified
2026-04-10T05:30:45.976563Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/ORDERID_ or use the address and billing information of other customers by manipulating the shippingaddressid and billingaddressid parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/REVIEWID.

References

Affected packages

Git / github.com/innocommerce/innoshop

Affected ranges

Type
GIT
Repo
https://github.com/innocommerce/innoshop
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
6e1c6cc37950d2c00b0e3c948b5cd332e8db933d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.1"
        }
    ]
}

Affected versions

v0.*
v0.1.1
v0.2.0
v0.2.1
v0.2.6
v0.2.8
v0.3.0
v0.3.10
v0.3.2
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52920.json"