Magento Commerce Multishipping Module Improper Input Validation Could Lead To Information Exposure
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An improper input validation in Magento Commerce's Multishipping Module lets an authenticated attacker disclose sensitive information.
Vulnerability
An improper input validation vulnerability exists in the Multishipping Module of Magento Commerce. Affected versions are 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) [1]. The flaw resides in the way the module handles user-supplied input, allowing an authenticated attacker to bypass intended validation checks [1].
Exploitation
An attacker must be authenticated to the Magento Commerce instance. No specific user role or privilege beyond authentication is required from the available descriptions [1]. The exact exploitation steps are not detailed in the available references, but the attacker would send crafted requests to the Multishipping Module endpoint, exploiting the missing input validation to trigger sensitive data exposure [1].
Impact
Successful exploitation leads to sensitive information disclosure [1]. The type of information exposed is not specified in the available references, but it could include customer data, order details, or internal configuration values. The confidentiality impact is the primary consequence, with no indication of integrity or availability compromise [1].
Mitigation
Adobe released security patches for this vulnerability. For Magento Commerce 2.4.2 and 2.4.2-p1, upgrade to version 2.4.3 or later. For 2.3.7, upgrade to version 2.3.8 or later. The fixed releases were made available on September 1, 2021 [1]. No workarounds are documented in the provided references [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wgpr-9675-8r67ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36038ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.