CVE-2021-39864

MEDIUM

Adobe Commerce < 2.3.7 and 2.4.2-p1-2.4.3 - Cross-Site Request Forgery via Wishlist Share Link

Title source: llm
STIX 2.1

Description

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

References (1)

Core 1
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://helpx.adobe.com/security/products/magento/apsb21-86.html

Scores

CVSS v3 6.5
EPSS 0.0100
EPSS Percentile 77.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (10)
adobe/commerce 2.3.7 p1
adobe/commerce 2.4.2 (3 CPE variants)
adobe/commerce 2.4.3
adobe/commerce < 2.3.7
adobe/magento_open_source 2.3.7 p1
adobe/magento_open_source 2.4.2 (3 CPE variants)
adobe/magento_open_source 2.4.3
adobe/magento_open_source < 2.3.7
magento/community-edition 2.4.2-p1Packagist
magento/project-community-edition 0Packagist
Published Oct 15, 2021
Tracked Since Feb 18, 2026