PyPI package
saleor
pkg:pypi/saleor
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-29888 | — | >= 3.14.56, < 3.14.61 | 3.14.61 | Mar 27, 2024 | Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect | ||
| CVE-2023-26052 | — | >= 2.0.0, < 3.1.48 | 3.1.48 | Mar 2, 2023 | Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in | ||
| CVE-2023-26051 | — | >= 2.0.0, < 3.1.48 | 3.1.48 | Mar 2, 2023 | Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staf | ||
| CVE-2022-0932 | — | < 3.1.2 | 3.1.2 | Mar 11, 2022 | Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. | ||
| CVE-2020-7964 | — | >= 2.0.0, < 2.9.1 | 2.9.1 | Jan 24, 2020 | An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer). | ||
| CVE-2019-13594 | — | >= 2.7.0, < 2.8.0 | 2.8.0 | Jul 14, 2019 | In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server. |
- CVE-2024-29888Mar 27, 2024affected >= 3.14.56, < 3.14.61fixed 3.14.61
Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect
- CVE-2023-26052Mar 2, 2023affected >= 2.0.0, < 3.1.48fixed 3.1.48
Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in
- CVE-2023-26051Mar 2, 2023affected >= 2.0.0, < 3.1.48fixed 3.1.48
Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staf
- CVE-2022-0932Mar 11, 2022affected < 3.1.2fixed 3.1.2
Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2.
- CVE-2020-7964Jan 24, 2020affected >= 2.0.0, < 2.9.1fixed 2.9.1
An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).
- CVE-2019-13594Jul 14, 2019affected >= 2.7.0, < 2.8.0fixed 2.8.0
In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.