Saleor E-Commerce Platform Insecure Direct Object Reference Vulnerability Allowing Sensitive Information Exfiltration

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Saleor e-commerce platform. This vulnerability is present in versions 3.2.0 prior to 3.22.29, 3.21.0-a.0 prior to 3.21.45, and 3.20.0-a.0 prior to 3.20.110. The IDOR vulnerability allows unauthenticated users to extract sensitive information, such as personal identifiable information (PII), in plain text. Orders created before Saleor version 3.2.0 are particularly at risk, as they could have PII exfiltrated.

Impact

The vulnerability could lead to the unauthorized extraction of PII, including email addresses, phone numbers, and physical addresses, from orders placed before Saleor version 3.2.0.

Reproduction

The vulnerability can be reproduced by sending a GraphQL query for order information without authentication. This can be done using the 'order()' query, which is available in the GraphQL API. Orders created before Saleor 3.2.0 will have PII data that can be extracted through this query.

Remediation

Users can upgrade to Saleor versions 3.22.29, 3.21.45, or 3.20.110 to address this vulnerability. In cases where an immediate upgrade is not possible, it is recommended to temporarily block non-staff users from accessing order information via the 'order()' GraphQL query, using a Web Application Firewall (WAF) as a workaround.