gwillem
commented
3 years ago Thanks! PS perhaps you want to share the risk level, so that people know how to prioritize this fix?
Closed mpchadwick closed 3 years ago
gwillem
commented
3 years ago Thanks! PS perhaps you want to share the risk level, so that people know how to prioritize this fix?
mpchadwick
commented
3 years ago It's a PII disclosure issue (no auth required).
From the Amasty website.
" 2.6.0 - Feb 22, 2021: Improvement we improved the security of the anonymization process and downloading of customer information as well"
I reported the issue to them and characterizing the change as an "improvement" is quite the spin on things (going to refrain from going into detail publicly on what the issue actually was)