6.9 Medium
AI Score
Confidence
Low
A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.
gist.github.com/JeroenBoersma/f5864a45e3df63b198a57abdff366df2
github.com/FriendsOfPHP/security-advisories/blob/master/klaviyo/magento2-extension/2021-05-25-1.yaml
github.com/klaviyo/magento2-klaviyo
github.com/klaviyo/magento2-klaviyo/pull/107