Home > Vulnerability Database > WS-2021-0130

Mend.io Vulnerability Database

WS-2021-0130

Good to know:

Date: April 28, 2021

Klaviyo Magento 2 before 3.0.0 allows reading private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.

Language: PHP

Severity Score

6.8

Related Resources (2)

Url: https://github.com/klaviyo/magento2-klaviyo/commit/016114c870a39f8d2e18bab9be6a04a040e857c7

Url: https://www.mend.io/vulnerability-database/WS-2021-0130

Severity Score

6.8

Weakness Type (CWE)

Exposure of Private Personal Information to an Unauthorized Actor

CWE-359

Top Fix

Upgrade Version

Upgrade to version klaviyo/magento2-extension - dev-202012_oauth_support;klaviyo/magento2-extension - dev-202105_fix_module;klaviyo/magento2-extension - dev-202111_product_save_webhook;klaviyo/magento2-extension - dev-202104_product-save-webhook;klaviyo/magento2-extension - dev-202106_require_m2_version_2_3_4;klaviyo/magento2-extension - dev-m2_v3_upgrade;klaviyo/magento2-extension - 3.0.0;klaviyo/magento2-extension - dev-202112_spell_fixes;klaviyo/magento2-extension - dev-202207_add_pr_template;klaviyo/magento2-extension - dev-202108_newsletter_fix;klaviyo/magento2-extension - dev-202110_m2_email_consent_loggedin_users;klaviyo/magento2-extension - dev-202107_rtrim_custom_media_url;klaviyo/magento2-extension - dev-202201_cart_rebuild

Learn More

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2021-0130

Good to know:

Date: April 28, 2021

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?