CVE-2021-36012

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://helpx.adobe.com/security/products/magento/apsb21-64.html	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:adobe:adobe_commerce::::::::
	cpe:2.3:a:adobe:adobe_commerce::::::::
	cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1::::::
	cpe:2.3:a:adobe:magento_open_source::::::::
	cpe:2.3:a:adobe:magento_open_source::::::::
	cpe:2.3:a:adobe:magento_open_source:2.4.2:p1::::::

History

25 Apr 2022, 17:25

Type	Values Removed	Values Added
CWE	~~CWE-840~~	NVD-CWE-noinfo

08 Sep 2021, 16:14

Type	Values Removed	Values Added
References	~~(MISC) https://helpx.adobe.com/security/products/magento/apsb21-64.html -~~	(MISC) https://helpx.adobe.com/security/products/magento/apsb21-64.html - Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : 4.0 v3 : 6.5
CPE		cpe:2.3:a:adobe:magento_open_source:::::::: cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:::::: cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:::::: cpe:2.3:a:adobe:adobe_commerce::::::::

01 Sep 2021, 15:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-09-01 15:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-36012

Mitre link : CVE-2021-36012

CVE.ORG link : CVE-2021-36012

JSON object : View

Products Affected

adobe

adobe_commerce
magento_open_source

CWE

NVD-CWE-noinfo CWE-840

Business Logic Errors

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2021-36012

6.5^/10

4.0^/10

Attach tags to `CVE-2021-36012`