Bagisto Insecure Direct Object Reference Vulnerability in Order Reorder Function

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Bagisto, an open-source Laravel eCommerce platform, in versions prior to 2.3.10. This vulnerability allows authenticated customers to manipulate order ID parameters and add items from other customers' orders to their own shopping carts. The issue arises in the order reorder function, which fails to validate customer ownership of orders, exposing sensitive purchase information and creating opportunities for fraud.

Impact

Exploitation of this vulnerability allows for unauthorized access to other customers' order details, which could be misused for social engineering or targeted attacks. Additionally, it facilitates the unauthorized transfer of items between carts, potentially leading to fraudulent activities.

Reproduction

To reproduce this vulnerability, an authenticated customer can manipulate the order ID parameter in the reorder function. This can be done by logging into their account and navigating to the reorder route with a specified order ID that belongs to another customer. Once the request is processed, the items from the victim's order will appear in the attacker's shopping cart.

Remediation

Users should update to Bagisto version 2.3.10 or later, where this vulnerability has been patched.