Main Vulnerability Database Vulnerabilities #VU8454

Cross-site request forgery in Adobe Commerce (formerly Magento Commerce) and Magento Open Source - #VU8454

Published: September 15, 2017

Vulnerability identifier: #VU8454

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Adobe

Affected software:
Adobe Commerce (formerly Magento Commerce)
Magento Open Source

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to perform CSRF attack.

The weakness exists due to improper input validation in the customer group. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.

Remediation

The vulnerability is addressed in the following versions:
Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, Magento 2.0.16 and 2.1.9.

Sources

https://magento.com/security/patches/magento-2016-and-219-security-update

Cross-site request forgery in Adobe Commerce (formerly Magento Commerce) and Magento Open Source - #VU8454

Detailed vulnerability description

Remediation

Sources

Please verify you're human