SecuriTricks - CVE-2025-52920

Description

Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.

Product(s) Impacted

Vendor	Product	Versions
Innoshop	Innoshop	0.4.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-425

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	innoshop	innoshop	0.4.1	/	/	/	/	/	/	/

References

https://github.com/innocommerce/innoshop

https://medium.com/@The_Hiker/how-i-found-multiple-cves-in-innoshop-0-4-1-12c8f84ad87f

CVSS Score

6.4 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

View Vector String

Timeline

Published: June 23, 2025, 12:15 p.m.
Last Modified: June 23, 2025, 8:16 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

CVE-2025-52920