GHSA-hvgw-gg3p-295j: Read private customer data reclaiming carts in Klaviyo Magento

May 15, 2024

A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.

References

gist.github.com/JeroenBoersma/f5864a45e3df63b198a57abdff366df2
github.com/FriendsOfPHP/security-advisories/blob/master/klaviyo/magento2-extension/2021-05-25-1.yaml
github.com/advisories/GHSA-hvgw-gg3p-295j
github.com/klaviyo/magento2-klaviyo
github.com/klaviyo/magento2-klaviyo/pull/107

Detect and mitigate GHSA-hvgw-gg3p-295j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →