Serious security issue in Customer Address edit section #1107
Labels
Comments
|
@kalpmehta, thank you for posting this issue. We'll check it immediately and fix ASAP if it is confirmed. |
vpelipenko
added
Issue: Ready for Work
|
Internal ticket: MAGETWO-35333. We are working on this issue now. |
|
Thanks for acknowledging and quickly checking into this. |
magento-team
pushed a commit
that referenced
this issue
Mar 23, 2015
magento-team
pushed a commit
that referenced
this issue
Mar 23, 2015
magento-team
pushed a commit
that referenced
this issue
Mar 23, 2015
vpelipenko
added a commit
that referenced
this issue
Mar 23, 2015
[South] MAGETWO-35333: [GITHUB] Serious security issue in Customer Address edit section #1107
|
@kalpmehta, this has been resolved in 0.74.0-beta1. Thank you again for submitting this issue. We greatly appreciate your continued support in Magento! |
sshrewz
removed
Issue: Ready for Work
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have installed Magento2 latest beta version yesterday and was checking it today. I found a serious issue where customer can view/edit (yes EDIT!) another customer's address. It's very simple to reproduce, just change the ID of the address in the URL and you will be presented with that address to edit.
Proof of concept:
http://www.example.com/customer/address/edit/id/1/
I will be able to see that address (even if it's not mine) and will be allowed to edit it without any issue.
The version I am using: Magento ver. 0.42.0-beta11
The text was updated successfully, but these errors were encountered: