We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.
Reserved 2025-06-21 | Published 2025-06-23 | Updated 2025-06-23 | Assigner mitreCWE-425 Direct Request ('Forced Browsing')
github.com/innocommerce/innoshop
medium.com/...d-multiple-cves-in-innoshop-0-4-1-12c8f84ad87f
Support options
