Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order (e.g., its payment status or shipping fee) by adding additional attributes to user-input during the PUT /ajax/cart
operation for a checkout, because of getValidDocumentForUpdate
in api/server/services/orders/orders.js
.
{ "nvd_published_at": "2019-10-29T19:15:00Z", "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-07-18T20:46:17Z" }