Saleor: Customers' addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method

Summary

Using Pickup: Local stock only as a click-and-collect points could cause a leak of customer addresses

Details

When using Pickup: Local stock only click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address.

Impact

The vulnerability can cause the leak of customer's address when using click-and-collect delivery option marked as Local stock only. It has impact on all orders with click-and-collect delivery method marked as Pickup:Local stock only
The affected versions: >=3.14.56 <3.14.61, >=3.15.31 <3.15.37, >=3.16.27 <3.16.34, >=3.17.25 <3.17.32, >=3.18.19 <3.18.28, >=3.19.5 <3.19.15
This issue has been patched in versions: 3.14.61, 3.15.37, 3.16.34, 3.17.32, 3.18.28, 3.19.15

Workaround

We strongly recommend upgrading to the latest versions, in case of inability to upgrade straight away, possible workarounds are:

turn off click-and-collect delivery method on warehouse view when Pickup option is set to Local stock only.
cherry-pick the changes from PRs: saleor/saleor#15694 & saleor/saleor#15697

References

NyanKiyoshi published to saleor/saleor Mar 27, 2024

Published by the National Vulnerability Database Mar 27, 2024

Published to the GitHub Advisory Database Mar 28, 2024

Reviewed Mar 28, 2024

Last updated Mar 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

Details

Impact

Workaround

References

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code