CVE-2021-21027
Magento Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Data Modification
4.3
MEDIUM
CVSS 3.1
EPSS 0.37%
Description
Magento versions 2.4.1 (and earlier), 2.4.0 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.
How to fix CVE-2021-21027
To remediate CVE-2021-21027, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.6 or later
- —upgrade to 2.3.6-p1 or later
- —no fix listed
Is CVE-2021-21027 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.3.6, >= 2.4.0, < 2.4.1
- from 0, < 2.3.6-p1
- from 0, <= 2.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |