6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39864

GHSA ID

GHSA-94wq-87g6-8h77

EPSS Score

0.74124%

CWE

CWE-352

Published

5/24/2022

Updated

3/4/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-39864

CVE-2021-39864: Magento Open Source allows Cross-Site Request Forgery (CSRF)

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to a customer's cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39864

GHSA ID

GHSA-94wq-87g6-8h77

EPSS Score

0.74124%

CWE

CWE-352

Published

5/24/2022

Updated

3/4/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.4.2-p1, <= 2.4.2-p2
magento/community-edition	composer	= 2.4.3
magento/community-edition	composer	<= 2.3.7-p1	2.3.7-p2
magento/community-edition	composer	= 2.4.2
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability specifically involves CSRF via Wishlist Share Links. In Magento's architecture, wishlist sharing is handled by the Share controller action. CSRF vulnerabilities typically occur when state-changing endpoints lack anti-CSRF protections like token validation. Since the exploit requires no authentication and affects wishlist sharing, the execute() method in the Share controller is the most logical point where CSRF checks would be missing. This aligns with Magento's typical CSRF protection patterns (e.g., @CsrfAware annotations or form key validation), which appear to be absent in this endpoint based on the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-p* (*n* **rli*r), *.*.* (*n* **rli*r) *n* *.*.*p* (*n* **rli*r) *r* *****t** *y * *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility vi* * Wis*list S**r* Link. Su***ss*ul *xploit*tion *oul* l*** to un*ut*oriz** ***ition to

Reasoning

T** vuln*r**ility sp**i*i**lly involv*s *SR* vi* Wis*list S**r* Links. In M***nto's *r**it**tur*, wis*list s**rin* is **n*l** *y t** S**r* *ontroll*r **tion. *SR* vuln*r**iliti*s typi**lly o**ur w**n st*t*-***n*in* *n*points l**k *nti-*SR* prot**tion

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-39864: Magento Open Source allows Cross-Site Request Forgery (CSRF)

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI