CVE-2021-21022
Magento Commerce Incorrect permissions Could Lead To Unauthorized Access
In short
Magento Commerce has a flaw that allows attackers to access products and information they shouldn't be able to see by manipulating direct object references. This could expose sensitive product data or allow unauthorized users to view restricted resources.
Technical detail
An insecure direct object reference (IDOR) vulnerability exists in Magento's product module where insufficient permission checks allow authenticated or unauthenticated attackers to access restricted resources by directly referencing objects. Exploitation requires manipulating product identifiers or API parameters; successful exploitation leads to unauthorized information disclosure of sensitive product data.
Summary generated and translated by AI from the official description.
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Adobe · Magento CommerceWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →