CVE-2025-52920

{"id": "CVE-2025-52920", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.1}]}, "published": "2025-06-23T12:15:22.803", "references": [{"url": "https://github.com/innocommerce/innoshop", "source": "cve@mitre.org"}, {"url": "https://medium.com/@The_Hiker/how-i-found-multiple-cves-in-innoshop-0-4-1-12c8f84ad87f", "source": "cve@mitre.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-425"}]}], "descriptions": [{"lang": "en", "value": "Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID."}, {"lang": "es", "value": "Innoshop, hasta la versi\u00f3n 0.4.1, permite la Referencia Directa a Objetos Insegura (IDOR) en varios puntos de la interfaz de la tienda. Cualquiera puede crear una cuenta de cliente y explotarla f\u00e1cilmente. Una explotaci\u00f3n exitosa da como resultado la divulgaci\u00f3n de la informaci\u00f3n personal identificable (PII) de otros clientes y la eliminaci\u00f3n de sus rese\u00f1as de productos en el sitio web. En concreto, un atacante podr\u00eda ver los detalles de cualquier pedido accediendo a /en/account/orders/_ORDER_ID_ o usar la direcci\u00f3n y la informaci\u00f3n de facturaci\u00f3n de otros clientes manipulando los par\u00e1metros shipping_address_id y billing_address_id al realizar un pedido (esta informaci\u00f3n se refleja en el recibo). Adem\u00e1s, un atacante podr\u00eda eliminar las rese\u00f1as de otros usuarios enviando una solicitud DELETE a /en/account/reviews/_REVIEW_ID."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cve@mitre.org"}