Description

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

Related CPE's

a

webkul

bagisto

Vulnerable

References

https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3

Patch

https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm

ExploitVendor Advisory

Weaknesses

[email protected]

Primary
CWE-284CWE-639

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

7.1 · High

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-02T21:15:58.773Z

1 week ago

Last modified

2026-01-08T21:24:08.743Z

1 week ago