Access Control Bypass Vulnerability in Magento 2.1, 2.2, and 2.3

CVE-2019-7950 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.

Learn more about our Api Penetration Testing.