Search criteria
1 vulnerability by mrw
CVE-2024-6506 (GCVE-0-2024-6506)
Vulnerability from cvelistv5 – Published: 2024-07-04 12:52 – Updated: 2024-08-01 21:41
VLAI
Title
Information exposure vulnerability in the MRW plug-in
Summary
Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the "mrw_log" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| MRW | MRW plugin |
Affected:
5.4.3
|
|
| mrw | mrw |
Affected:
5.4.3
cpe:2.3:a:mrw:mrw:5.4.3:*:*:*:*:*:*:* |
Date Public
2024-07-04 11:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mrw:mrw:5.4.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mrw",
"vendor": "mrw",
"versions": [
{
"status": "affected",
"version": "5.4.3"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T17:30:06.304569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T16:52:35.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:41:03.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MRW plugin",
"vendor": "MRW",
"versions": [
{
"status": "affected",
"version": "5.4.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jes\u00fas Higueras"
}
],
"datePublic": "2024-07-04T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure vulnerability in the MRW plugin, in its\u0026nbsp;5.4.3 version,\u0026nbsp;affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers\u0027 order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."
}
],
"value": "Information exposure vulnerability in the MRW plugin, in its\u00a05.4.3 version,\u00a0affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers\u0027 order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-04T12:52:15.521Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability has been fixed by the MRW team in version 5.5.1."
}
],
"value": "The vulnerability has been fixed by the MRW team in version 5.5.1."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Information exposure vulnerability in the MRW plug-in",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-6506",
"datePublished": "2024-07-04T12:52:15.521Z",
"dateReserved": "2024-07-04T10:08:19.529Z",
"dateUpdated": "2024-08-01T21:41:03.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}