CVE-2021-39864

Summary

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

Affected Software

VendorProductVersion RangeStatus
AdobeMagento Commerceunspecified <= 2.4.3affected
AdobeMagento Commerceunspecified <= 2.4.2-p2affected
AdobeMagento Commerceunspecified <= 2.3.7-p1affected
AdobeMagento Commerceunspecified <= Noneaffected

Weaknesses

  • CWE-352: Cross-Site Request Forgery (CSRF) (CWE-352)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References