Miggo Logo
Miggo Vulnerability Database
CVE-2021-21022

CVE-2021-21022:
Magento Insecure Direct Object Reference (IDOR) in the product module

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-21022
GHSA ID
GHSA-8pfq-g48p-x7w8
EPSS Score
0.30817%
CWE
CWE-285
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer< 2.3.6-p12.3.6-p1
magento/community-editioncomposer>= 2.4.0, < 2.4.1-p12.4.1-p1
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is an IDOR in the product module tied to improper authorization (CWE-285/639). Admin product edit controllers are high-value targets for such flaws. Magento's Product\Edit controller would naturally handle product IDs from requests, and historical patching patterns show similar vulnerabilities were addressed by adding ACL checks in this context. While no direct code diffs are available, the combination of the vulnerability type, affected component (product module), and CWE mapping strongly implicates this entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.* (*n* **rli*r), *.*.*-p* (*n* **rli*r) *n* *.*.* (*n* **rli*r) *r* vuln*r**l* to *n ins**ur* *ir**t o*j**t r***r*n** (I*OR) in t** pro*u*t mo*ul*. Su***ss*ul *xploit*tion *oul* l*** to un*ut*oriz** ****ss to r*stri*t** r*sour**s

Reasoning

T** vuln*r**ility is *n I*OR in t** pro*u*t mo*ul* ti** to improp*r *ut*oriz*tion (*W*-***/***). **min pro*u*t **it *ontroll*rs *r* *i**-v*lu* t*r**ts *or su** *l*ws. M***nto's `Pro*u*t\**it` *ontroll*r woul* n*tur*lly **n*l* pro*u*t I*s *rom r*qu*st