Magento Commerce Gift Card Business Logic Error
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento Commerce has a business logic error in placeOrder GraphQL mutation, allowing authenticated users to alter item prices.
Vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) contain a business logic error in the placeOrder GraphQL mutation [1]. This vulnerability allows an authenticated attacker to modify the price of an item during order placement.
Exploitation
An attacker must be authenticated to the Magento instance and have the ability to send GraphQL requests. By manipulating the placeOrder mutation inputs, the attacker can alter the price of items in the order without proper validation [1].
Impact
Successful exploitation enables the attacker to purchase items at a lower price than intended, leading to financial loss for the merchant. The impact is limited to price manipulation and does not directly result in remote code execution or data disclosure [1].
Mitigation
No fix is mentioned in the available references [1]. Adobe has not publicly disclosed a patch for this vulnerability as of the reference publication date. Users should monitor official Adobe security advisories for updates.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4<=2.4.2-p1, <=2.3.7+ 1 more
- (no CPE)range: <=2.4.2-p1, <=2.3.7
- (no CPE)range: unspecified
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3f97-7pgv-gmgrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36012ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.