CVE-2021-21012
Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure
In short
Magento's checkout module allows attackers to access other customers' sensitive information by manipulating order references. This happens because the system doesn't properly verify who should see which data.
Technical detail
Unauthenticated or authenticated attackers can exploit IDOR in the checkout module by directly referencing object identifiers (order IDs, customer data) without proper authorization checks. Exploitation requires knowledge of valid object identifiers and results in unauthorized access to sensitive checkout-related information including customer details and order data.
Summary generated and translated by AI from the official description.
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Adobe · Magento CommerceWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →