NVD

Id
18481  
Name
CVE-2016-2212  
Description
The getOrderByStatusUrlKey function in the Mage_Rss_Helper_Order class in app/code/core/Mage/Rss/Helper/Order.php in Magento Enterprise Edition before 1.14.2.3 and Magento Community Edition before 1.9.2.3 allows remote attackers to obtain sensitive order information via the order_id in a JSON object in the data parameter in an RSS feed request to index.php/rss/order/status.  
Reject
 
CVSS Version
2  
CVSS Score
5  
Severity
Medium  
CVSS Base Score
5  
CVSS Impact Subscore
2.9  
CVSS Exploit Subscore
10  
CVSS Vector
(AV:N/AC:L/Au:N/C:P/I:N/A:N)  
Pub Date
2017-01-19  
Published
2016-04-15  
Modified Date
2016-04-22  
Seq
2016-2212  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
102786 18481 CVE-2016-2212 http://karmainsecurity.com/KIS-2016-02  View
102787 18481 CVE-2016-2212 http://packetstormsecurity.com/files/135941/Magento-1.9.2.2-RSS-Feed-Information-Disclosure.html  View
102788 18481 CVE-2016-2212 20160223 [KIS-2016-02] Magento <= 1.9.2.2 (RSS Feed) Information Disclosure Vulnerability  View
102789 18481 CVE-2016-2212 20160224 [KIS-2016-02] Magento <= 1.9.2.2 (RSS Feed) Information Disclosure Vulnerability  View
102790 18481 CVE-2016-2212 https://magento.com/security/patches/supee-7405  View

Related JVN

Id Name Title Summary Cveinfo Name Cveinfo Id Nvdinfo Name Nvdinfo Id Cvssv2 Cvssv3 Jvnurl Published Date Last Updated Date Actions
1535 JVNDB-2016-002308 Magento Enterprise Edition および Community Edition の app/code/core/Mage/Rss/Helper/Order.php における重要な注文情報を取得される脆弱性 Magento Enterprise Edition および Community Edition の app/code/core/Mage/Rss/Helper/Order.php の Mage_Rss_Helper_Order クラスの getOrderByStatusUrlKey 関数には、重要な注文情報を取得される脆弱性が存在します。 CVE-2016-2212 88718 CVE-2016-2212 18481 5 5.3 http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-002308.html 2016-02-23 2016-04-27 View