Read private customer data reclaiming carts in Klaviyo Magento

2024-05-1522:03:47

CWE-200

GitHub Advisory Database

github.com

researcher identified

third party module

klaviyo magento

unauthorized access

private data

magento api

6.9 Medium

AI Score

Confidence

Low

JSON

A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.

Affected configurations

Vulners

Node

klaviyoklaviyoRange1.0.0≥

klaviyoklaviyoRange<3.0.0

CPENameOperatorVersion
klaviyo/magento2-extensionge1.0.0
klaviyo/magento2-extensionlt3.0.0

CPE	Name	Operator	Version
	klaviyo/magento2-extension	ge	1.0.0
	klaviyo/magento2-extension	lt	3.0.0

References

gist.github.com/JeroenBoersma/f5864a45e3df63b198a57abdff366df2

github.com/advisories/GHSA-hvgw-gg3p-295j

github.com/FriendsOfPHP/security-advisories/blob/master/klaviyo/magento2-extension/2021-05-25-1.yaml

github.com/klaviyo/magento2-klaviyo/pull/107

6.9 Medium

AI Score

Confidence

Low

JSON