Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32694 | 1 Saleor | 1 Saleor | 2023-12-10 | N/A | 5.4 MEDIUM |
| Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16. | |||||
| CVE-2023-26051 | 1 Saleor | 1 Saleor | 2023-12-10 | N/A | 4.3 MEDIUM |
| Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests. | |||||
| CVE-2023-26052 | 1 Saleor | 1 Saleor | 2023-12-10 | N/A | 5.3 MEDIUM |
| Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. This issue has been patched in versions 3.1.48, 3.7.59, 3.8.0, 3.9.27, 3.10.14 and 3.11.12. | |||||
| CVE-2022-39275 | 1 Saleor | 1 Saleor | 2023-12-10 | N/A | 4.3 MEDIUM |
| Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-0932 | 1 Saleor | 1 Saleor | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. | |||||