Magento Commerce `quoteId` parameter Incorrect Authorization Vulnerability Could Lead To Information Disclosure
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the quoteId parameter. An attacker can abuse this vulnerability to disclose sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento Commerce improper input validation in quoteId parameter allows attackers to disclose sensitive information.
Vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the quoteId parameter. This allows an attacker to disclose sensitive information [1].
Exploitation
An attacker can send a specially crafted request with a malicious quoteId parameter to exploit the vulnerability. No authentication is required, and the attack can be performed remotely [1].
Impact
Successful exploitation leads to the disclosure of sensitive information, such as customer data or order details, potentially compromising user privacy.
Mitigation
Not explicitly mentioned in the reference, but upgrading to a version later than 2.4.2, 2.4.2-p1, or 2.3.7 should mitigate the vulnerability. Adobe recommends applying the latest security updates.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3g7m-g8qm-x6j5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36039ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.