Miggo Logo
Miggo Vulnerability Database
CVE-2021-21027

CVE-2021-21027: Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-21027
GHSA ID
GHSA-h4xc-577p-hgj9
EPSS Score
0.3594%
CWE
CWE-352
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer< 2.3.6-p12.3.6-p1
magento/community-editioncomposer>= 2.4.0, < 2.4.22.4.2
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch modifies the HttpVerbValidator class to correctly validate the HTTP verb for GraphQL requests. The previous implementation was vulnerable to CSRF attacks, and the modified code addresses this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.* (*n* **rli*r), *.*.*-p* (*n* **rli*r) *n* *.*.* (*n* **rli*r) *r* *****t** *y * *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility vi* t** *r*p*QL *PI. Su***ss*ul *xploit*tion *oul* l*** to un*ut*oriz** mo*i*i**tion o* *ustom*r m*

Reasoning

T** p*t** mo*i*i*s t** `*ttpV*r*V*li**tor` *l*ss to *orr**tly v*li**t* t** *TTP v*r* *or *r*p*QL r*qu*sts. T** pr*vious impl*m*nt*tion w*s vuln*r**l* to *SR* *tt**ks, *n* t** mo*i*i** *o** ***r*ss*s t*is vuln*r**ility.