{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T11:10:01.134","vulnerabilities":[{"cve":{"id":"CVE-2025-52920","sourceIdentifier":"cve@mitre.org","published":"2025-06-23T12:15:22.803","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID."},{"lang":"es","value":"Innoshop, hasta la versión 0.4.1, permite la Referencia Directa a Objetos Insegura (IDOR) en varios puntos de la interfaz de la tienda. Cualquiera puede crear una cuenta de cliente y explotarla fácilmente. Una explotación exitosa da como resultado la divulgación de la información personal identificable (PII) de otros clientes y la eliminación de sus reseñas de productos en el sitio web. En concreto, un atacante podría ver los detalles de cualquier pedido accediendo a /en/account/orders/_ORDER_ID_ o usar la dirección y la información de facturación de otros clientes manipulando los parámetros shipping_address_id y billing_address_id al realizar un pedido (esta información se refleja en el recibo). Además, un atacante podría eliminar las reseñas de otros usuarios enviando una solicitud DELETE a /en/account/reviews/_REVIEW_ID."}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":2.7}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-425"}]}],"references":[{"url":"https://github.com/innocommerce/innoshop","source":"cve@mitre.org"},{"url":"https://medium.com/@The_Hiker/how-i-found-multiple-cves-in-innoshop-0-4-1-12c8f84ad87f","source":"cve@mitre.org"}]}}]}