Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by mrw

    CVE-2024-6506 (GCVE-0-2024-6506)

    Vulnerability from nvd – Published: 2024-07-04 12:52 – Updated: 2024-08-01 21:41
    VLAI
    Title
    Information exposure vulnerability in the MRW plug-in
    Summary
    Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the "mrw_log" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    MRW MRW plugin Affected: 5.4.3
    Create a notification for this product.
    mrw mrw Affected: 5.4.3
        cpe:2.3:a:mrw:mrw:5.4.3:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-07-04 11:00
    Credits
    Jesús Higueras
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:mrw:mrw:5.4.3:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mrw",
                "vendor": "mrw",
                "versions": [
                  {
                    "status": "affected",
                    "version": "5.4.3"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-05T17:30:06.304569Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-08T16:52:35.572Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:03.535Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MRW plugin",
              "vendor": "MRW",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.4.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jes\u00fas Higueras"
            }
          ],
          "datePublic": "2024-07-04T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Information exposure vulnerability in the MRW plugin, in its\u0026nbsp;5.4.3 version,\u0026nbsp;affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers\u0027 order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."
                }
              ],
              "value": "Information exposure vulnerability in the MRW plugin, in its\u00a05.4.3 version,\u00a0affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers\u0027 order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-04T12:52:15.521Z",
            "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            "shortName": "INCIBE"
          },
          "references": [
            {
              "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerability has been fixed by the MRW team in version 5.5.1."
                }
              ],
              "value": "The vulnerability has been fixed by the MRW team in version 5.5.1."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Information exposure vulnerability in the MRW plug-in",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "assignerShortName": "INCIBE",
        "cveId": "CVE-2024-6506",
        "datePublished": "2024-07-04T12:52:15.521Z",
        "dateReserved": "2024-07-04T10:08:19.529Z",
        "dateUpdated": "2024-08-01T21:41:03.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6506 (GCVE-0-2024-6506)

    Vulnerability from cvelistv5 – Published: 2024-07-04 12:52 – Updated: 2024-08-01 21:41
    VLAI
    Title
    Information exposure vulnerability in the MRW plug-in
    Summary
    Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the "mrw_log" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    MRW MRW plugin Affected: 5.4.3
    Create a notification for this product.
    mrw mrw Affected: 5.4.3
        cpe:2.3:a:mrw:mrw:5.4.3:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-07-04 11:00
    Credits
    Jesús Higueras
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:mrw:mrw:5.4.3:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "mrw",
                "vendor": "mrw",
                "versions": [
                  {
                    "status": "affected",
                    "version": "5.4.3"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-05T17:30:06.304569Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-08T16:52:35.572Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:03.535Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MRW plugin",
              "vendor": "MRW",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.4.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jes\u00fas Higueras"
            }
          ],
          "datePublic": "2024-07-04T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Information exposure vulnerability in the MRW plugin, in its\u0026nbsp;5.4.3 version,\u0026nbsp;affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers\u0027 order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."
                }
              ],
              "value": "Information exposure vulnerability in the MRW plugin, in its\u00a05.4.3 version,\u00a0affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers\u0027 order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-04T12:52:15.521Z",
            "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            "shortName": "INCIBE"
          },
          "references": [
            {
              "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerability has been fixed by the MRW team in version 5.5.1."
                }
              ],
              "value": "The vulnerability has been fixed by the MRW team in version 5.5.1."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Information exposure vulnerability in the MRW plug-in",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "assignerShortName": "INCIBE",
        "cveId": "CVE-2024-6506",
        "datePublished": "2024-07-04T12:52:15.521Z",
        "dateReserved": "2024-07-04T10:08:19.529Z",
        "dateUpdated": "2024-08-01T21:41:03.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }