GHSA-hvgw-gg3p-295j

Source

https://github.com/advisories/GHSA-hvgw-gg3p-295j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-hvgw-gg3p-295j/GHSA-hvgw-gg3p-295j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hvgw-gg3p-295j

Published

2024-05-15T22:03:47Z

Modified

2024-11-29T05:40:37.431105Z

Summary

Read private customer data reclaiming carts in Klaviyo Magento

Details

A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T22:03:47Z"
}

References

Affected packages

Packagist / klaviyo/magento2-extension

Package

Name: klaviyo/magento2-extension
Purl: pkg:composer/klaviyo/magento2-extension

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

3.0.0

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

2.*

2.0.0

2.1.0

2.1.1

2.2.0-patch

2.2.0