CVE-2024-29888— Saleor vulnerable to customers addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method

CVSS 4.2 · Medium EPSS 0.42% · P62 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-29888

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Saleor vulnerable to customers addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method

Source: NVD (National Vulnerability Database)

Vulnerability Description

Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

侵犯隐私

Source: NVD (National Vulnerability Database)

Vulnerability Title

Saleor 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Github saleor是一个无头的 GraphQL 商务平台，提供超快速、动态、个性化的购物体验。美丽的在线商店，在任何地方，在任何设备上。 Saleor存在安全漏洞，该漏洞源于存在客户地址泄露问题。受影响的产品和版本：Saleor 3.14.56至3.14.61版本，3.15.31至3.15.37版本，3.16.27至3.16.34版本，3.17.25至3.17.32版本，3.18.19至3.18.28版本，3.19.5至3.19.15版本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
saleor	saleor	>= 3.14.56, < 3.14.61	-

II. Public POCs for CVE-2024-29888

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-29888

请登录查看更多情报信息。

https://github.com/saleor/saleor/pull/15694x_refsource_MISC
https://github.com/saleor/saleor/pull/15697x_refsource_MISC
https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45x_refsource_CONFIRM
https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26x_refsource_MISC
https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4x_refsource_MISC
https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6bx_refsource_MISC
https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5cx_refsource_MISC
https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761x_refsource_MISC
https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182x_refsource_MISC
https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640x_refsource_MISC
https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2024-29888

IV. Related Vulnerabilities

Same product: saleor

Same vendor: saleor

Same weakness: CWE-359

V. Comments for CVE-2024-29888

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-29888— Saleor vulnerable to customers addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method

I. Basic Information for CVE-2024-29888

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-29888

III. Intelligence Information for CVE-2024-29888

IV. Related Vulnerabilities

V. Comments for CVE-2024-29888

Leave a comment