CVE-2024-29888

Summary

Saleor is an e-commerce platform that serves high-volume companies. When using Pickup: Local stock only click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: 3.14.61, 3.15.37, 3.16.34, 3.17.32, 3.18.28, 3.19.15.

Affected Software

VendorProductVersion RangeStatus
saleorsaleor>= 3.14.56, < 3.14.61affected
saleorsaleor>= 3.15.31, < 3.15.37affected
saleorsaleor>= 3.16.27, < 3.16.34affected
saleorsaleor>= 3.17.25, < 3.17.32affected
saleorsaleor>= 3.18.19, < 3.18.28affected
saleorsaleor>= 3.19.5, < 3.19.15affected

Weaknesses

  • CWE-359: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References