| Название | Evershop <= v2.0.1 Insecure Direct Object Reference |
|---|
| Описание | A critical authorization vulnerability has been identified in EverShop's GraphQL API that allows any unauthenticated user to access complete order information, including customer personally identifiable information (PII), shipping addresses, billing details, and purchase history. This is a textbook Insecure Direct Object Reference (IDOR) vulnerability where the application fails to verify whether the requesting user has permission to access the requested order data. |
|---|
| Источник | ⚠️ https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md |
|---|
| Пользователь | ictrun (UID 83482) |
|---|
| Представление | 23.10.2025 01:17 (6 месяцы назад) |
|---|
| Модерация | 09.11.2025 07:29 (17 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 331639 [EverShop до 2.0.1 Order Order.resolvers.js uuid эскалация привилегий] |
|---|
| Баллы | 20 |
|---|