CVE-2024-44314

Vulnerability

Description CVE-2024-44314 is an Incorrect Access Control vulnerability in TastyIgniter 3.7.6's Orders Management System. The bug resides in the index_onUpdateStatus() function within Orders.php, which fails to verify if the requesting user has permission to modify order statuses. This oversight allows any authenticated user, regardless of role, to update order statuses without authorization [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP request to the order update endpoint. The attack does not require special privileges; any user with access to the application can perform unauthorized order manipulations. The lack of permission checks in the vulnerable function enables this exploitation [2].

Impact

Successful exploitation allows an attacker to change the status of any order in the system. This could lead to disruption of order processing, incorrect order fulfillment, and potential financial loss for the restaurant. The integrity of the order management process is compromised [1].

Mitigation

As of the publication date, no patch has been released for this vulnerability. Users are advised to implement additional access controls at the application or server level, or await an official update from TastyIgniter [3].