Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    8 vulnerabilities by mirumee

    CVE-2020-15085 (GCVE-0-2020-15085)

    Vulnerability from cvelistv5 – Published: 2020-06-30 16:25 – Updated: 2024-08-04 13:08
    VLAI
    Title
    Client caching login operation with plaintext password in Saleor Storefront
    Summary
    In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    mirumee saleor-storefront Affected: < 2.10.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:08:22.044Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "saleor-storefront",
              "vendor": "mirumee",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.10.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-30T16:25:13.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
            }
          ],
          "source": {
            "advisory": "GHSA-4279-h39w-2jqm",
            "discovery": "UNKNOWN"
          },
          "title": "Client caching login operation with plaintext password in Saleor Storefront",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-15085",
              "STATE": "PUBLIC",
              "TITLE": "Client caching login operation with plaintext password in Saleor Storefront"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "saleor-storefront",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 2.10.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "mirumee"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-312 Cleartext Storage of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
                },
                {
                  "name": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
                },
                {
                  "name": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-4279-h39w-2jqm",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-15085",
        "datePublished": "2020-06-30T16:25:13.000Z",
        "dateReserved": "2020-06-25T00:00:00.000Z",
        "dateUpdated": "2024-08-04T13:08:22.044Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-7964 (GCVE-0-2020-7964)

    Vulnerability from cvelistv5 – Published: 2020-01-24 19:38 – Updated: 2024-08-04 09:48
    VLAI
    Summary
    An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:48:24.461Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor/releases/tag/2.9.1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-24T19:38:03.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor/releases/tag/2.9.1"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-7964",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer)."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3"
                },
                {
                  "name": "https://github.com/mirumee/saleor/releases/tag/2.9.1",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor/releases/tag/2.9.1"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-7964",
        "datePublished": "2020-01-24T19:38:03.000Z",
        "dateReserved": "2020-01-24T00:00:00.000Z",
        "dateUpdated": "2024-08-04T09:48:24.461Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-1010304 (GCVE-0-2019-1010304)

    Vulnerability from cvelistv5 – Published: 2019-07-15 14:45 – Updated: 2024-08-05 03:07
    VLAI
    Summary
    Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1.
    Severity
    No CVSS data available.
    CWE
    • Incorrect Access Control
    Assigner
    dwf
    References
    Impacted products
    Vendor Product Version
    Saleor Saleor Affected: Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release [fixed: 2.3.1]
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:07:18.378Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor/issues/3768"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Saleor",
              "vendor": "Saleor",
              "versions": [
                {
                  "status": "affected",
                  "version": "Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release [fixed: 2.3.1]"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop\u0027s revenue data. The fixed version is: 2.3.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Access Control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-15T14:45:39.000Z",
            "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
            "shortName": "dwf"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor/issues/3768"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-assign@distributedweaknessfiling.org",
              "ID": "CVE-2019-1010304",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Saleor",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release [fixed: 2.3.1]"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Saleor"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop\u0027s revenue data. The fixed version is: 2.3.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Incorrect Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor/issues/3768",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor/issues/3768"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
        "assignerShortName": "dwf",
        "cveId": "CVE-2019-1010304",
        "datePublished": "2019-07-15T14:45:39.000Z",
        "dateReserved": "2019-03-20T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:07:18.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-13594 (GCVE-0-2019-13594)

    Vulnerability from cvelistv5 – Published: 2019-07-14 16:19 – Updated: 2024-08-04 23:57
    VLAI
    Summary
    In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T23:57:39.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor/releases/tag/2.8.0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-14T16:19:21.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor/releases/tag/2.8.0"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-13594",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor/releases/tag/2.8.0",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor/releases/tag/2.8.0"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-13594",
        "datePublished": "2019-07-14T16:19:21.000Z",
        "dateReserved": "2019-07-14T00:00:00.000Z",
        "dateUpdated": "2024-08-04T23:57:39.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-15085 (GCVE-0-2020-15085)

    Vulnerability from nvd – Published: 2020-06-30 16:25 – Updated: 2024-08-04 13:08
    VLAI
    Title
    Client caching login operation with plaintext password in Saleor Storefront
    Summary
    In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    mirumee saleor-storefront Affected: < 2.10.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:08:22.044Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "saleor-storefront",
              "vendor": "mirumee",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.10.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-06-30T16:25:13.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
            }
          ],
          "source": {
            "advisory": "GHSA-4279-h39w-2jqm",
            "discovery": "UNKNOWN"
          },
          "title": "Client caching login operation with plaintext password in Saleor Storefront",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-15085",
              "STATE": "PUBLIC",
              "TITLE": "Client caching login operation with plaintext password in Saleor Storefront"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "saleor-storefront",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 2.10.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "mirumee"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-312 Cleartext Storage of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
                },
                {
                  "name": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
                },
                {
                  "name": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-4279-h39w-2jqm",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-15085",
        "datePublished": "2020-06-30T16:25:13.000Z",
        "dateReserved": "2020-06-25T00:00:00.000Z",
        "dateUpdated": "2024-08-04T13:08:22.044Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-7964 (GCVE-0-2020-7964)

    Vulnerability from nvd – Published: 2020-01-24 19:38 – Updated: 2024-08-04 09:48
    VLAI
    Summary
    An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:48:24.461Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor/releases/tag/2.9.1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-24T19:38:03.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor/releases/tag/2.9.1"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-7964",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer)."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3"
                },
                {
                  "name": "https://github.com/mirumee/saleor/releases/tag/2.9.1",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor/releases/tag/2.9.1"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-7964",
        "datePublished": "2020-01-24T19:38:03.000Z",
        "dateReserved": "2020-01-24T00:00:00.000Z",
        "dateUpdated": "2024-08-04T09:48:24.461Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-1010304 (GCVE-0-2019-1010304)

    Vulnerability from nvd – Published: 2019-07-15 14:45 – Updated: 2024-08-05 03:07
    VLAI
    Summary
    Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1.
    Severity
    No CVSS data available.
    CWE
    • Incorrect Access Control
    Assigner
    dwf
    References
    Impacted products
    Vendor Product Version
    Saleor Saleor Affected: Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release [fixed: 2.3.1]
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:07:18.378Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor/issues/3768"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Saleor",
              "vendor": "Saleor",
              "versions": [
                {
                  "status": "affected",
                  "version": "Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release [fixed: 2.3.1]"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop\u0027s revenue data. The fixed version is: 2.3.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Access Control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-15T14:45:39.000Z",
            "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
            "shortName": "dwf"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor/issues/3768"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-assign@distributedweaknessfiling.org",
              "ID": "CVE-2019-1010304",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Saleor",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release [fixed: 2.3.1]"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Saleor"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop\u0027s revenue data. The fixed version is: 2.3.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Incorrect Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor/issues/3768",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor/issues/3768"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
        "assignerShortName": "dwf",
        "cveId": "CVE-2019-1010304",
        "datePublished": "2019-07-15T14:45:39.000Z",
        "dateReserved": "2019-03-20T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:07:18.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-13594 (GCVE-0-2019-13594)

    Vulnerability from nvd – Published: 2019-07-14 16:19 – Updated: 2024-08-04 23:57
    VLAI
    Summary
    In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T23:57:39.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/mirumee/saleor/releases/tag/2.8.0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-14T16:19:21.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/mirumee/saleor/releases/tag/2.8.0"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-13594",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/mirumee/saleor/releases/tag/2.8.0",
                  "refsource": "MISC",
                  "url": "https://github.com/mirumee/saleor/releases/tag/2.8.0"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-13594",
        "datePublished": "2019-07-14T16:19:21.000Z",
        "dateReserved": "2019-07-14T00:00:00.000Z",
        "dateUpdated": "2024-08-04T23:57:39.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }