PT-2021-6351 · Adobe · Magento Commerce
Published
2021-08-11
·
Updated
2022-05-24
·
CVE-2021-36039
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Magento Commerce versions 2.4.2 and earlier
Magento Commerce versions 2.4.2-p1 and earlier
Magento Commerce versions 2.3.7 and earlier
Description
The issue is related to improper input validation via the
quoteId parameter, allowing an attacker to disclose sensitive information. It is also associated with improper authorization, which can enable a remote attacker to gain unauthorized access to protected information.Recommendations
For Magento Commerce versions 2.4.2 and earlier, update to a version that addresses the improper input validation and authorization issues.
For Magento Commerce versions 2.4.2-p1 and earlier, update to a version that addresses the improper input validation and authorization issues.
For Magento Commerce versions 2.3.7 and earlier, update to a version that addresses the improper input validation and authorization issues.
As a temporary workaround, consider restricting access to the
quoteId parameter to minimize the risk of exploitation.Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento Commerce