CVE-2019-7890: Authorization Bypass Through User-Controlled Key

May 24, 2022 (updated July 17, 2023)

An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.

References

github.com/advisories/GHSA-3pgc-7jf3-5x5g
nvd.nist.gov/vuln/detail/CVE-2019-7890
web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23

Detect and mitigate CVE-2019-7890 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →