Innoshop CVE-2025-52920

| EUVD-2025-18869 MEDIUM
Direct Request ('Forced Browsing') (CWE-425)
2025-06-23 [email protected]
Information Disclosure
6.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18869
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 12:15 nvd
MEDIUM 6.4

DescriptionNVD

Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.

AnalysisAI

A security vulnerability in Innoshop through 0.4.1 (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Technical ContextAI

Vulnerability type not specified by vendor. Affects Innoshop through 0.4.1.

RemediationAI

Monitor vendor channels for patch availability.

Share

CVE-2025-52920 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy