Description

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

Related CPE's

Could not find any relations

References

https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3

https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm

Weaknesses

[email protected]

Primary
CWE-284CWE-639

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

7.1 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Received

Published

2026-01-02T21:15:58.773

2 hours ago

Last modified

2026-01-02T21:15:58.773

2 hours ago