CVE-2021-21012

CWE-639 — Insecure Direct Object Reference CWE-787 — Out-of-bounds Write CWE-863 — Incorrect Authorization3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.4%

top 36.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Magento Commerce Adobe Magento Open Source

Timeline

PublishedJan 13

Latest updateMay 24

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5adobe/magento_commerceunspecified — 2.4.1+3

▶NVDadobe/magento_commerce2.3.6+2

▶NVDadobe/magento_open_source2.3.6+2

🔴Vulnerability Details

GHSA

GHSA-6vpq-pcm8-6pgw: Adobe Bridge version 11↗2022-05-24

▶

CVEList

Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure↗2021-01-13

▶