Lucene search

K
githubGitHub Advisory DatabaseGHSA-HVGW-GG3P-295J
HistoryMay 15, 2024 - 10:03 p.m.

Read private customer data reclaiming carts in Klaviyo Magento

2024-05-1522:03:47
CWE-200
GitHub Advisory Database
github.com
17
researcher identified
third party module
klaviyo magento
unauthorized access
private data
magento api

AI Score

6.9

Confidence

Low

A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.

Affected configurations

Vulners
Node
klaviyomagento2-extensionRange1.0.03.0.0
VendorProductVersionCPE
klaviyomagento2-extension*cpe:2.3:a:klaviyo:magento2-extension:*:*:*:*:*:*:*:*

AI Score

6.9

Confidence

Low