A vulnerability was found in Magento up to 2.3.6/2.4.0-p1/2.4.1. It has been declared as problematic. Affected by this vulnerability is some unknown processing of the component GraphQL API. The manipulation with an unknown input leads to a cross site request forgery vulnerability. The CWE definition for the vulnerability is CWE-352. As an impact it is known to affect integrity. An attacker might be able force legitimate users to initiate unwanted actions within the web application. The summary by CVE is:

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

The weakness was shared 02/12/2021. It is possible to read the advisory at helpx.adobe.com. This vulnerability is known as CVE-2021-21027 since 12/18/2020. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfoedit

Name

• Magento

CPE 2.3infoedit

• 🔒
• 🔒
• 🔒

CPE 2.2infoedit

• 🔒
• 🔒
• 🔒

CVSSv3infoedit

CVSSv2infoedit

Exploitinginfoedit

Threat Intelligenceinfoedit

Countermeasuresinfoedit

Timelineinfoedit

Sourcesinfoedit

Entryinfoedit

Comments