CVE-2021-36032
EUVD-2021-2266501.09.2021, 15:15
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| adobe | adobe_commerce | 2.3.0 ≤ 𝑥 ≤ 2.3.7 |
| adobe | adobe_commerce | 2.4.0 ≤ 𝑥 ≤ 2.4.2 |
| adobe | adobe_commerce | 2.4.2:p1 |
| adobe | magento_open_source | 2.3.0 ≤ 𝑥 ≤ 2.3.7 |
| adobe | magento_open_source | 2.4.0 ≤ 𝑥 ≤ 2.4.2 |
| adobe | magento_open_source | 2.4.2:p1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-639 - Authorization Bypass Through User-Controlled KeyThe system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.