CVE-2024-44314

TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the index_onUpdateStatus() function within Orders.php, which fails to verify if the user has permission to modify an order's status. This flaw can be exploited remotely, leading to unauthorized order manipulation.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tastyigniter/TastyIgniter/blob/3.x/app/admin/controllers/Orders.php
https://medium.com/@cnetsec/cve-2024-44314-incorrect-access-control-in-function-updateorder-fc5f2b1b0467

Configurations

No configuration.

History

21 Mar 2025, 15:15

Type	Values Removed	Values Added
CWE		CWE-285
Summary		(es) TastyIgniter 3.7.6 contiene una vulnerabilidad de control de acceso incorrecto en el sistema de gestión de pedidos, que permite a usuarios no autorizados actualizar el estado de los pedidos. El problema se produce en la función index_onUpdateStatus() de Orders.php, que no verifica si el usuario tiene permiso para modificar el estado de un pedido. Esta vulnerabilidad puede explotarse remotamente, lo que permite la manipulación no autorizada de pedidos.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

18 Mar 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-18 15:15

Updated : 2025-03-21 15:15

NVD link : CVE-2024-44314

Mitre link : CVE-2024-44314

CVE.ORG link : CVE-2024-44314

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

6.5 /10