CVE-2021-39864

CWE-352 — Cross-Site Request Forgery (CSRF)4 documents4 sources

Severity

6.5MEDIUM

EPSS

1.0%

top 23.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Community-edition Adobe Magento Commerce Adobe Commerce +2 more

Timeline

PublishedOct 15

Latest updateMay 24

Description

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDadobe/commerce2.3.7+3

▶CVEListV5adobe/magento_commerceunspecified — 2.4.3+3

▶NVDadobe/magento_open_source2.3.7+3

▶Packagistmagento/community-edition2.4.2-p1 — 2.4.2-p2+1

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

GHSA

Magento Open Source allows Cross-Site Request Forgery (CSRF)↗2022-05-24

▶

OSV

Magento Open Source allows Cross-Site Request Forgery (CSRF)↗2022-05-24

▶

CVEList

Adobe Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Cart Addition↗2021-10-15

▶