Lucene search

[email protected]NVD:CVE-2021-39864

HistoryOct 15, 2021 - 3:15 p.m.

CVE-2021-39864

2021-10-1515:15:08

CWE-352

[email protected]

web.nvd.nist.gov

adobe commerce

csrf

vulnerability

wishlist share link

unauthorized access

customer cart

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

29.5%

JSON

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

Affected configurations

Nvd

Node

adobecommerceRange≤2.3.7

adobecommerceMatch2.3.7p1

adobecommerceMatch2.4.2

adobecommerceMatch2.4.2p1

adobecommerceMatch2.4.2p2

adobecommerceMatch2.4.3

Node

adobemagento_open_sourceRange≤2.3.7

adobemagento_open_sourceMatch2.3.7p1

adobemagento_open_sourceMatch2.4.2

adobemagento_open_sourceMatch2.4.2p1

adobemagento_open_sourceMatch2.4.2p2

adobemagento_open_sourceMatch2.4.3

VendorProductVersionCPE
adobecommerce*cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*
adobecommerce2.3.7cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:*
adobecommerce2.4.2cpe:2.3:a:adobe:commerce:2.4.2:*:*:*:*:*:*:*
adobecommerce2.4.2cpe:2.3:a:adobe:commerce:2.4.2:p1:*:*:*:*:*:*
adobecommerce2.4.2cpe:2.3:a:adobe:commerce:2.4.2:p2:*:*:*:*:*:*
adobecommerce2.4.3cpe:2.3:a:adobe:commerce:2.4.3:*:*:*:*:*:*:*
adobemagento_open_source*cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*
adobemagento_open_source2.3.7cpe:2.3:a:adobe:magento_open_source:2.3.7:p1:*:*:*:*:*:*
adobemagento_open_source2.4.2cpe:2.3:a:adobe:magento_open_source:2.4.2:*:*:*:*:*:*:*
adobemagento_open_source2.4.2cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*

Vendor	Product	Version	CPE
adobe	commerce	*	cpe:2.3:a:adobe:commerce::::::::
adobe	commerce	2.3.7	cpe:2.3:a:adobe:commerce:2.3.7:p1::::::
adobe	commerce	2.4.2	cpe:2.3:a:adobe:commerce:2.4.2:::::::*
adobe	commerce	2.4.2	cpe:2.3:a:adobe:commerce:2.4.2:p1::::::
adobe	commerce	2.4.2	cpe:2.3:a:adobe:commerce:2.4.2:p2::::::
adobe	commerce	2.4.3	cpe:2.3:a:adobe:commerce:2.4.3:::::::*
adobe	magento_open_source	*	cpe:2.3:a:adobe:magento_open_source::::::::
adobe	magento_open_source	2.3.7	cpe:2.3:a:adobe:magento_open_source:2.3.7:p1::::::
adobe	magento_open_source	2.4.2	cpe:2.3:a:adobe:magento_open_source:2.4.2:::::::*
adobe	magento_open_source	2.4.2	cpe:2.3:a:adobe:magento_open_source:2.4.2:p1::::::

Rows per page:

1-10 of 121

References

helpx.adobe.com/security/products/magento/apsb21-86.html

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

29.5%

JSON

Related for NVD:CVE-2021-39864

cve1 cnvd1 cvelist1 prion1 osv1 adobe1