CVE-2021-28563 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=2.4.0 <2.4.2-p1 || >=0 <2.3.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00189 pctl0.40981

Details

Magento Unauthorized access to restricted resources Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Metadata

Created: 2022-05-24T19:06:25Z
Modified: 2024-01-10T20:24:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q9xx-4689-gvv5/GHSA-q9xx-4689-gvv5.json
CWE IDs: ["CWE-285"]
Alternative ID: GHSA-q9xx-4689-gvv5
Finding: F039
Auto approve: 1