PT-2021-22711 · Adobe · Commerce
Published
2021-10-15
·
Updated
2022-05-24
·
CVE-2021-39864
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Adobe Commerce versions 2.4.3 and earlier, 2.4.2-p2 and earlier, 2.3.7p1 and earlier
Description:
A cross-site request forgery (CSRF) issue exists via a Wishlist Share Link, allowing an unauthenticated attacker to add items to a customer's cart without authorization. This can be exploited without access to the admin console.
Recommendations:
For versions 2.4.3 and earlier, 2.4.2-p2 and earlier, 2.3.7p1 and earlier, update to a version that includes a fix for this issue to prevent unauthorized additions to customer carts. As a temporary workaround, consider restricting access to the Wishlist Share Link feature until a patch is available.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Commerce