CVE-2019-7872: Magento Insufficient authorization check when adding users to company accounts

May 24, 2022 (updated May 15, 2024)

An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing user details.

References

github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7872.yaml
github.com/advisories/GHSA-pfxv-66r9-4gqw
github.com/magento/magento2
magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
nvd.nist.gov/vuln/detail/CVE-2019-7872

Code Behaviors & Features

Detect and mitigate CVE-2019-7872 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →