<p>Upgrade <code>magento/core</code> to version 1.9.3.10 or higher.</p>

Privilege Escalation Affecting magento/core package, versions <1.9.3.10

Snyk CVSS

Attack Complexity High

Confidentiality High

Integrity High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PHP-MAGENTOCORE-72877
published 2 Jan 2019
disclosed 10 Sep 2018
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 10 Sep 2018

CWE-269 Open this link in a new tab

How to fix?

Upgrade magento/core to version 1.9.3.10 or higher.

Overview

magento/core is a release of the Magento Community Edition.

Affected versions of this package are vulnerable to Privilege Escalation. The reset password link for a customer account includes the customer ID. This Customer ID can be used by an attacker to gain access to the customer account, despite the use of a token.

References

GitHub Commit
Magento Security Advisory