CVE-2025-52920 Information

Description

Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific an attacker could view the order details of any order by browsing to /en/account/orders/ORDER_ID or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.

Reference

https://github.com/innocommerce/innoshop https://medium.com/@The_Hiker/how-i-found-multiple-cves-in-innoshop-0-4-1-12c8f84ad87f

Related CNNVD

CNNVD-202506-2937 (Published: 2025-06-23)