CVE-2020-7964: Missing Authentication for Critical Function

July 28, 2021

An issue was discovered in Mirumee Sale Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).

References

github.com/advisories/GHSA-rgcm-rpq9-9cgr
github.com/mirumee/saleor/commit/233b8890c60fa6d90daf99e4d90fea85867732c3
github.com/mirumee/saleor/releases/tag/2.9.1
nvd.nist.gov/vuln/detail/CVE-2020-7964

Code Behaviors & Features

Detect and mitigate CVE-2020-7964 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →