CVE-2024-44313

Vulnerability

Description CVE-2024-44313 is an Incorrect Access Control vulnerability in TastyIgniter 3.7.6, specifically in the invoice() function within the Orders.php controller [1]. The root cause is a missing permission check that allows any authenticated user (or potentially unauthenticated users depending on configuration) to access the invoice generation functionality without proper authorization [2].

Exploitation

An attacker who can reach the invoice endpoint can call the invoice() method on any order without having the required administrative or order-management role. The vulnerability exists because the function does not verify that the requesting user has permission to view or generate invoices for that order [2].

Impact

A successful exploit allows unauthorized users to access sensitive order and invoice data, including customer information, pricing details, and order items. This could lead to privacy breaches and financial data exposure. The issue could also be used to generate invoices for orders the user should not have access to [1].

Mitigation

No patch has been released for this issue as of the publication date. Users should apply permission checks to the invoice() function as described in the official source code [2]. The vendor recommends following security practices such as implementing role-based access controls [3].