8.8
CVE-2021-36032
- EPSS 0.87%
- Veröffentlicht 01.09.2021 15:15:09
- Zuletzt bearbeitet 21.11.2024 06:12:59
- Quelle psirt@adobe.com
- Teams Watchlist Login
- Unerledigt Login
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Adobe ≫ Adobe Commerce Version >= 2.3.0 <= 2.3.7
Adobe ≫ Adobe Commerce Version >= 2.4.0 <= 2.4.2
Adobe ≫ Adobe Commerce Version2.4.2 Updatep1
Adobe ≫ Magento Open Source Version >= 2.3.0 <= 2.3.7
Adobe ≫ Magento Open Source Version >= 2.4.0 <= 2.4.2
Adobe ≫ Magento Open Source Version2.4.2 Updatep1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.87% | 0.745 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
| psirt@adobe.com | 8.3 | 2.8 | 5.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.