U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CVE-2024-29888 Detail

Description

Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761
https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c
https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b
https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26
https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4
https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95
https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182
https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640
https://github.com/saleor/saleor/pull/15694
https://github.com/saleor/saleor/pull/15697
https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45

Weakness Enumeration

CWE-ID CWE Name Source
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor GitHub, Inc.  

Change History

2 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2024-29888
NVD Published Date:
03/27/2024
NVD Last Modified:
03/27/2024
Source:
GitHub, Inc.