CVE-2021-21013Incorrect Authorization in Adobe Magento Commerce

CWE-863Incorrect AuthorizationCWE-639Authorization Bypass Through User-Controlled KeyCWE-787Out-of-bounds Write3 documents3 sources
Severity
8.1HIGHNVD
EPSS
0.6%
top 29.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Adobe Magento CommerceAdobe Magento
Timeline
PublishedJan 13
Latest updateMay 24

Description

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's account.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDadobe/magento2.4.1+1
CVEListV5adobe/magento_commerceunspecified2.4.1+3

🔴Vulnerability Details

2
GHSA
GHSA-5ffv-cqpm-6p2j: Adobe Bridge version 112022-05-24
CVEList
Magento Commerce Insecure Direct Object Reference Could Lead To Information Disclosure2021-01-13
CVE-2021-21013 — Incorrect Authorization in Adobe | cvebase