An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned.
Permissions do not seem to be enforced when reaching the admin/ecommerceframework/admin-order/list
endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place :
Note : Testing this vulnerability requires a fully configured ecommerce website, but it looks vulnerable as when requesting the endpoint the data seem returned (and when looking at the source code nothing seems to validate the permissions on the specified endpoint).
In order to reproduce the issue, the following steps can be followed :
https://pimcore_instance/admin/ecommerceframework/admin-order/list
and the results will be returned to this unauthorized userAn unauthorized user can access back-office orders without being authorized to.
{ "nvd_published_at": "2024-01-11T01:15:45Z", "cwe_ids": [ "CWE-284" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-01-10T15:14:38Z" }