PT-2021-3431 · Adobe · Magento
Published
2021-05-11
·
Updated
2024-03-06
·
CVE-2021-28563
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Magento versions 2.4.2 and earlier
Magento versions 2.4.1-p1 and earlier
Magento versions 2.3.6-p1 and earlier
Description
The issue is related to an Improper Authorization vulnerability via the "Create Customer" endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation. The vulnerability is associated with authorization errors and can allow a remote attacker to gain unauthorized access to protected information.
Recommendations
For Magento versions 2.4.2 and earlier, update to a version that includes the fix for this issue.
For Magento versions 2.4.1-p1 and earlier, update to a version that includes the fix for this issue.
For Magento versions 2.3.6-p1 and earlier, update to a version that includes the fix for this issue.
As a temporary workaround, consider restricting access to the "Create Customer" endpoint until a patch is available.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento