-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability describes CSRF-triggered deletion of blocks. In Magento's architecture, block deletion would be handled by an admin controller action. The absence of CSRF protection in the Delete controller's execute method would allow forged requests. While no direct code diffs are available, Magento's security update notes specifically mention PRODSECBUG-2125 (this CVE) as a CSRF flaw in block deletion, strongly implicating the Delete controller action as the vulnerable entry point. Standard Magento admin controllers require @Adminhtml annotation and form key validation - a missing check here would create the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1.0, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2.0, < 2.2.9 | 2.2.9 |
| magento/community-edition | composer | >= 2.3.0, < 2.3.2 | 2.3.2 |