detronetdip E-commerce 1.0.0 allows unauthorized deletion of products

Summary

A security flaw in the product management module of detronetdip E-commerce 1.0.0 allows an attacker to delete or update products without permission. This could be exploited by anyone with knowledge of the exploit, potentially causing data loss or disruption to your online store. You should check with the developer for an update or patch to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
detronetdip	e-commerce	1.0.0	–

Original title

A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the ...

Original description

A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

nvd CVSS2.0 5.5

nvd CVSS3.1 8.1

nvd CVSS4.0 5.3

Vulnerability type

CWE-285 Improper Authorization

CWE-639 Authorization Bypass Through User-Controlled Key

https://github.com/Nixon-H/Ecommerce-IDOR-Product-Manipulation Exploit Mitigation Third Party Advisory
https://github.com/detronetdip/E-commerce/ Product
https://github.com/detronetdip/E-commerce/issues/23 Exploit Issue Tracking Vendor Advisory
https://vuldb.com/?ctiid.346486 Permissions Required VDB Entry
https://vuldb.com/?id.346486 Third Party Advisory VDB Entry
https://vuldb.com/?submit.754030 Third Party Advisory VDB Entry