CVE-2024-44314

TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the index_onUpdateStatus() function within Orders.php, which fails to verify if the user has permission to modify an order's status. This flaw can be exploited remotely, leading to unauthorized order manipulation.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tastyigniter/TastyIgniter/blob/3.x/app/admin/controllers/Orders.php	Product
https://medium.com/@cnetsec/cve-2024-44314-incorrect-access-control-in-function-updateorder-fc5f2b1b0467	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tastyigniter:tastyigniter:3.7.6:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-18 15:15

Updated : 2025-04-02 12:29

NVD link : CVE-2024-44314

Mitre link : CVE-2024-44314

CVE.ORG link : CVE-2024-44314

JSON object : View

Products Affected

tastyigniter

tastyigniter

CWE

CWE-285

Improper Authorization

{"id": "CVE-2024-44314", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-03-18T15:15:53.847", "references": [{"url": "https://github.com/tastyigniter/TastyIgniter/blob/3.x/app/admin/controllers/Orders.php", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://medium.com/@cnetsec/cve-2024-44314-incorrect-access-control-in-function-updateorder-fc5f2b1b0467", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the index_onUpdateStatus() function within Orders.php, which fails to verify if the user has permission to modify an order's status. This flaw can be exploited remotely, leading to unauthorized order manipulation."}, {"lang": "es", "value": "TastyIgniter 3.7.6 contiene una vulnerabilidad de control de acceso incorrecto en el sistema de gesti\u00f3n de pedidos, que permite a usuarios no autorizados actualizar el estado de los pedidos. El problema se produce en la funci\u00f3n index_onUpdateStatus() de Orders.php, que no verifica si el usuario tiene permiso para modificar el estado de un pedido. Esta vulnerabilidad puede explotarse remotamente, lo que permite la manipulaci\u00f3n no autorizada de pedidos."}], "lastModified": "2025-04-02T12:29:56.447", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tastyigniter:tastyigniter:3.7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EBEBFB5-5A04-4CED-8533-04062AF99960"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}