PT-2021-6361 · Adobe · Magento Commerce
Published
2021-08-11
·
Updated
2022-05-24
·
CVE-2021-36012
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Magento Commerce versions 2.4.2 and earlier
Magento Commerce versions 2.4.2-p1 and earlier
Magento Commerce versions 2.3.7 and earlier
Description
The issue is related to a business logic error in the
placeOrder graphql mutation, allowing an authenticated attacker to alter the price of an item. This is due to incorrect handling of logical operations, which can be exploited by a remote attacker to bypass existing security restrictions.Recommendations
For Magento Commerce versions 2.4.2 and earlier, update to a version that fixes the business logic error in the
placeOrder graphql mutation.
For Magento Commerce versions 2.4.2-p1 and earlier, update to a version that fixes the business logic error in the placeOrder graphql mutation.
For Magento Commerce versions 2.3.7 and earlier, update to a version that fixes the business logic error in the placeOrder graphql mutation.
As a temporary workaround, consider restricting access to the placeOrder graphql mutation until a patch is available.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Magento Commerce