CVE-2024-44313

TastyIgniter version 3.7.6 is affected by CVE-2024-44313, an Incorrect Access Control vulnerability (CWE-284) in the invoice() function within the Orders.php file located at app/admin/controllers/Orders.php. This flaw arises from missing permission checks, enabling unauthorized access to sensitive invoice generation functionality. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts over the network.

An attacker with low privileges (PR:L), such as a registered user with basic access, can exploit this vulnerability remotely with low complexity and no user interaction required. By invoking the invoice() function without proper authorization, the attacker gains unauthorized access to other users' invoices, allowing them to view sensitive order details and generate fraudulent or manipulated invoice documents. This compromises high levels of confidentiality and integrity but does not affect availability.

References for mitigation include the vulnerable source code in the TastyIgniter GitHub repository at https://github.com/tastyigniter/TastyIgniter/blob/3.x/app/admin/controllers/Orders.php and a detailed disclosure on Medium at https://medium.com/@cnetsec/cve-2024-44313-incorrect-access-control-in-tastyigniter-3-7-6-01a73c548b74. Security practitioners should review these for implementation of permission checks or upgrades beyond version 3.7.6.