CVE-2024-29888
low-risk
Published 2024-03-27
Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`.
Do I need to act?
-
0.42% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.2/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Saleor
Affected Vendors
References (22)
Issue Tracking
https://github.com/saleor/saleor/pull/15694
Issue Tracking
https://github.com/saleor/saleor/pull/15697
Issue Tracking
https://github.com/saleor/saleor/pull/15694
and 2 more references
21
/ 100
low-risk
Severity
14/34 · Moderate
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal