GHSA-94wq-87g6-8h77

Suggest an improvement
Source
https://github.com/advisories/GHSA-94wq-87g6-8h77
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-94wq-87g6-8h77/GHSA-94wq-87g6-8h77.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-94wq-87g6-8h77
Aliases
Published
2022-05-24T19:17:41Z
Modified
2025-03-04T16:27:10.841346Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
  • 4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Magento Open Source allows Cross-Site Request Forgery (CSRF)
Details

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to a customer's cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

Database specific
{
    "nvd_published_at": "2021-10-15T15:15:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-04T15:53:16Z"
}
References

Affected packages

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.2-p1
Last affected
2.4.2-p2

Affected versions

2.*

2.4.2-p1
2.4.2-p2

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Affected versions

2.*

2.4.3

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.7-p2

Affected versions

0.*

0.1.0-alpha89
0.1.0-alpha90
0.1.0-alpha91
0.1.0-alpha92
0.1.0-alpha93
0.1.0-alpha94
0.1.0-alpha95
0.1.0-alpha96
0.1.0-alpha97
0.1.0-alpha98
0.1.0-alpha99
0.1.0-alpha100
0.1.0-alpha101
0.1.0-alpha102
0.1.0-alpha103
0.1.0-alpha104
0.1.0-alpha105
0.1.0-alpha106
0.1.0-alpha107
0.1.0-alpha108
0.42.0-beta1
0.42.0-beta2
0.42.0-beta3
0.42.0-beta4
0.42.0-beta5
0.42.0-beta6
0.42.0-beta7
0.42.0-beta8
0.42.0-beta9
0.42.0-beta10
0.42.0-beta11
0.74.0-beta1
0.74.0-beta2
0.74.0-beta3
0.74.0-beta4
0.74.0-beta5
0.74.0-beta6
0.74.0-beta7
0.74.0-beta8
0.74.0-beta9
0.74.0-beta10
0.74.0-beta11
0.74.0-beta12
0.74.0-beta13
0.74.0-beta14
0.74.0-beta15
0.74.0-beta16

1.*

1.0.0-beta
1.0.0-beta2
1.0.0-beta3
1.0.0-beta4
1.0.0-beta5
1.0.0-beta6

2.*

2.0.0-rc
2.0.0-rc2
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.1.0-rc1
2.1.0-rc2
2.1.0-rc3
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.18
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.3.0
2.3.1
2.3.2
2.3.2-p2
2.3.3
2.3.3-p1
2.3.4
2.3.4-p2
2.3.5
2.3.5-p1
2.3.5-p2
2.3.6
2.3.6-p1
2.3.7
2.3.7-p1

Database specific

{
    "last_known_affected_version_range": "<= 2.3.7-p1"
}

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Affected versions

2.*

2.4.2

Packagist / magento/project-community-edition

Package

Name
magento/project-community-edition
Purl
pkg:composer/magento/project-community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.0.2

Affected versions

0.*

0.1.0-alpha89
0.1.0-alpha90
0.1.0-alpha91
0.1.0-alpha92
0.1.0-alpha93
0.1.0-alpha94
0.1.0-alpha95
0.1.0-alpha96
0.1.0-alpha97
0.1.0-alpha98
0.1.0-alpha99
0.1.0-alpha100
0.1.0-alpha101
0.1.0-alpha102
0.1.0-alpha103
0.1.0-alpha104
0.1.0-alpha105
0.1.0-alpha106
0.1.0-alpha107
0.1.0-alpha108
0.42.0-beta1
0.42.0-beta2
0.42.0-beta3
0.42.0-beta4
0.42.0-beta5
0.42.0-beta6
0.42.0-beta7
0.42.0-beta8
0.42.0-beta9
0.42.0-beta10
0.42.0-beta11
0.74.0-beta1
0.74.0-beta2
0.74.0-beta3
0.74.0-beta4
0.74.0-beta5
0.74.0-beta6
0.74.0-beta7
0.74.0-beta8
0.74.0-beta9
0.74.0-beta10
0.74.0-beta11
0.74.0-beta12
0.74.0-beta13
0.74.0-beta14
0.74.0-beta15
0.74.0-beta16

1.*

1.0.0-beta

2.*

2.0.0-rc
2.0.0-rc2
2.0.0
2.0.1
2.0.2