Impact
When a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address.
It's the same with CustomerForm, you're able to change the id_customer and change all information of all accounts.
Patches
The problem is patched in the 1.7.6.4.
Workarounds
There is currently no workaround, a fix needs to be applied in the Core files.
Thanks to Fanie Guesdon for reporting this issue.
Impact
When a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address.
It's the same with CustomerForm, you're able to change the id_customer and change all information of all accounts.
Patches
The problem is patched in the 1.7.6.4.
Workarounds
There is currently no workaround, a fix needs to be applied in the Core files.
Thanks to Fanie Guesdon for reporting this issue.