CVE-2021-39864 MEDIUM

CVE-2021-39864: Adobe Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Cart Addition

Vendor Adobe
Product Magento Commerce
Weakness CWE-352 · CSRF
Published October 15, 2021
Last update April 23, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

Key dates

02Disclosure timeline

October 15, 2021 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE