PT-2021-2305 · Adobe · Magento
Published
2021-02-09
·
Updated
2024-03-06
·
CVE-2021-21027
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Magento versions 2.4.1 and earlier
Magento versions 2.4.0-p1 and earlier
Magento versions 2.3.6 and earlier
Description
The issue is related to a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.
Recommendations
For Magento versions 2.4.1 and earlier, update to a version that includes a fix for this issue.
For Magento versions 2.4.0-p1 and earlier, update to a version that includes a fix for this issue.
For Magento versions 2.3.6 and earlier, update to a version that includes a fix for this issue.
As a temporary workaround, consider restricting access to the GraphQL API to minimize the risk of exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento