CVE-2025-52920
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-23

Last updated on: 2025-06-23

Assigner: MITRE

Description
Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-23
Last Modified
2025-06-23
Generated
2026-05-07
AI Q&A
2025-06-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52920
EUVD
EUVD-2025-18869
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of personally identifiable information (PII) of other customers, such as their order details and billing/shipping addresses. Additionally, it allows attackers to delete product reviews made by other users. This can result in privacy breaches, loss of customer trust, and potential damage to the integrity of the website's content.


Can you explain this vulnerability to me?

This vulnerability is an Insecure Direct Object Reference (IDOR) in Innoshop versions up to 0.4.1. It allows anyone who creates a customer account to access or manipulate data belonging to other customers. Specifically, an attacker can view order details of any order by changing the order ID in the URL, access other customers' shipping and billing information by modifying parameters during order placement, and delete other users' product reviews by sending a DELETE request with the review ID.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart