Description

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Remediation

References

CVE-2021-28563

Related Vulnerabilities

WordPress Plugin AddToAny Share Buttons Cross-Site Scripting (1.7.45)

WordPress Plugin WP Mailster Cross-Site Scripting (1.6.1)

WordPress Plugin OptionTree Cross-Site Scripting (2.5.3)

PHP Deserialization of Untrusted Data Vulnerability (CVE-2007-1701)

WordPress Plugin Social Like Box and Page by WpDevArt Cross-Site Scripting (0.8.40)

Severity

Medium

Classification

CVE-2021-28563 CWE-285 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities