{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6506", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-07-04T10:08:19.529Z", "datePublished": "2024-07-04T12:52:15.521Z", "dateUpdated": "2024-08-01T21:41:03.535Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MRW plugin", "vendor": "MRW", "versions": [{"status": "affected", "version": "5.4.3"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jes\u00fas Higueras"}], "datePublic": "2024-07-04T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."}], "value": "Information exposure vulnerability in the MRW plugin, in its\u00a05.4.3 version,\u00a0affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-07-04T12:52:15.521Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability has been fixed by the MRW team in version 5.5.1."}], "value": "The vulnerability has been fixed by the MRW team in version 5.5.1."}], "source": {"discovery": "EXTERNAL"}, "title": "Information exposure vulnerability in the MRW plug-in", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "mrw", "product": "mrw", "cpes": ["cpe:2.3:a:mrw:mrw:5.4.3:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.4.3", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-05T17:30:06.304569Z", "id": "CVE-2024-6506", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T16:52:35.572Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.535Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.535Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6506", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-05T17:30:06.304569Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mrw:mrw:5.4.3:*:*:*:*:*:*:*"], "vendor": "mrw", "product": "mrw", "versions": [{"status": "affected", "version": "5.4.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:38:30.369Z"}}], "cna": {"title": "Information exposure vulnerability in the MRW plug-in", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jes\u00fas Higueras"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MRW", "product": "MRW plugin", "versions": [{"status": "affected", "version": "5.4.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability has been fixed by the MRW team in version 5.5.1.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been fixed by the MRW team in version 5.5.1.", "base64": false}]}], "datePublic": "2024-07-04T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Information exposure vulnerability in the MRW plugin, in its\u00a05.4.3 version,\u00a0affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels.", "supportingMedia": [{"type": "text/html", "value": "Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-07-04T12:52:15.521Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6506", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:41:03.535Z", "dateReserved": "2024-07-04T10:08:19.529Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-07-04T12:52:15.521Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Information exposure vulnerability in the MRW plugin, in its\u00a05.4.3 version,\u00a0affecting the \"mrw_log\" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels."}, {"lang": "es", "value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n en el plugin MRW, en su versi\u00f3n 5.4.3, afectando a la funcionalidad \"mrw_log\". Esta vulnerabilidad podr\u00eda permitir que un atacante remoto obtenga informaci\u00f3n de pedidos de otros clientes y acceda a informaci\u00f3n confidencial como nombre y n\u00famero de tel\u00e9fono. Esta vulnerabilidad tambi\u00e9n permite a un atacante crear o sobrescribir etiquetas de env\u00edo."}], "id": "CVE-2024-6506", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-07-04T13:15:10.240", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/information-exposure-vulnerability-mrw-plug"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}

{}

{}