CVE-2018-5301
Description
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Magento allows attackers to delete a customer address without consent, affecting versions before 2.0.10 and 2.1.x before 2.1.2.
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in Magento Community Edition and Enterprise Edition prior to version 2.0.10 and in 2.1.x prior to 2.1.2 [1]. The flaw allows an attacker to trigger the deletion of a customer address from the address book without the victim's knowledge or consent, identified as APPSEC-1433.
Exploitation
To exploit this vulnerability, an attacker must craft a malicious HTTP request that would cause the deletion of a customer address. The attacker then needs to trick an authenticated Magento user into submitting this request, typically by visiting a malicious website or clicking a link while logged into Magento. No special network access or authentication is required beyond the victim being logged in [1].
Impact
Successful exploitation results in the unauthorized deletion of a customer address from the victim's address book. This can lead to inconvenience for the customer, potential disruption of order fulfillment if the deleted address was primary, and loss of stored data. The impact is limited to address deletion, with no further compromise of the system [1].
Mitigation
A security update was released by Magento to address this vulnerability. Users should upgrade to Magento 2.0.10 or later for the 2.0.x branch, or Magento 2.1.2 or later for the 2.1.x branch [1][3]. If upgrading is not immediately possible, administrators should apply the security patch provided in the Magento Security Center [3]. No workarounds are documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | < 2.0.10 | 2.0.10 |
magento/community-editionPackagist | >= 2.1.0, < 2.1.2 | 2.1.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w3mq-67mw-3p9fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-5301ghsaADVISORY
- magento.com/security/patches/magento-2010-and-212-security-updateghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.