4 matches found
CVE-2016-2212
The getOrderByStatusUrlKey function in the MageRssHelperOrder class in app/code/core/Mage/Rss/Helper/Order.php in Magento Enterprise Edition before 1.14.2.3 and Magento Community Edition before 1.9.2.3 allows remote attackers to obtain sensitive order information via the orderid in a JSON object ...
CVE-2016-2212
The getOrderByStatusUrlKey function in the MageRssHelperOrder class in app/code/core/Mage/Rss/Helper/Order.php in Magento Enterprise Edition before 1.14.2.3 and Magento Community Edition before 1.9.2.3 allows remote attackers to obtain sensitive order information via the orderid in a JSON object ...
CVE-2016-2212
The CVE concerns Magento RSS feed information disclosure via the method getOrderByStatusUrlKey in Mage_Rss_Helper_Order. In affected Magento EE before 1.14.2.3 and CE before 1.9.2.3, a remote attacker can obtain sensitive order information by supplying a base64-encoded JSON object in the data par...
Magento 1.9.2.2 RSS Feed Information Disclosure
------------------------------------------------------------------ Magento load$data'orderid'; 94. if $order-getId 95. && $order-getIncrementId == $data'incrementid' 96. && $order-getCustomerId == $data'customerid' 97. 98. return $order; 99. 100. 101. return null; 102. User input passed through t...