[ https://issues.apache.org/jira/browse/OFBIZ-672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-672: ---------------------------------- Priority: Critical (was: Blocker) Sorry Rohit, this is not a blocking issue, just critical. > Changing order # in URL allows orders made by other users to be viewed... > ------------------------------------------------------------------------- > > Key: OFBIZ-672 > URL: https://issues.apache.org/jira/browse/OFBIZ-672 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Rohit Sureka > Priority: Critical > > If you login to the ecommerce area of ofbiz and view an order using the URL > https://www.example.com/ecommerce/control/orderstatus?orderId=10330, you can > view any order made by other users by changing the order number in the URL > for eg. > https://www.example.com/ecommerce/control/orderstatus?orderId=TMN10550, will > show the order #10550 and complete details such address, last digits of > credit card etc, even if the order was placed by another user. > I believe this is a very serious security issue as well, hence i have given > the highest priority ratings to this issue. > Rohit -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.