Home

Description

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

PUBLISHED Reserved 2025-12-29 | Published 2026-01-02 | Updated 2026-01-02 | Assigner GitHub_M




HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-284: Improper Access Control

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 2.3.10
affected

References

github.com/...agisto/security/advisories/GHSA-x5rw-qvvp-5cgm

github.com/...ommit/b2b1cf62577245d03a68532478cffbe321df74d3

cve.org (CVE-2026-21447)

nvd.nist.gov (CVE-2026-21447)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.