Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public sharing_code, but loads the acted-on wishlist item by a separate global wishlist_item_id and never verifies that the item belongs to the shared wishlist referenced by that code. This lets an attacker use a valid shared wishlist code for wishlist A and a wishlist item ID belonging to victim wishlist B to import victim item B into the attacker's cart through the shared wishlist flow for wishlist A. Because the victim item's stored buyRequest is reused during cart import, the victim's private custom-option data is copied into the attacker's quote. If the product uses a file custom option, this can be elevated to cross-user file disclosure because the imported file metadata is preserved and the download endpoint is not ownership-bound. Version 20.17.0 patches the issue.
AnalysisAI
Magento LTS prior to version 20.17.0 allows authenticated attackers to access private wishlist items from other users via an authorization bypass in the shared wishlist add-to-cart endpoint. The vulnerability permits an attacker with a valid sharing code for one wishlist to import items from a different victim's wishlist into their cart by manipulating the wishlist_item_id parameter, potentially exposing private custom option data and enabling cross-user file disclosure when file upload custom options are present. CVSS 5.3 (AV:N/AC:L/PR:L) indicates network-accessible exploitation requiring low privileges; patch version 20.17.0 resolves the issue.
Technical ContextAI
Magento LTS is a community-maintained fork of the Magento Community Edition e-commerce platform written in PHP. The vulnerability resides in the shared wishlist add-to-cart endpoint (part of the Wishlist module), which implements a two-parameter authorization model: a public sharing_code that grants access to a specific shared wishlist, and a wishlist_item_id that identifies the product to add to cart. The flaw is a classic insecure direct object reference (IDOR) combined with insufficient cross-reference validation. When processing the add-to-cart request, the endpoint verifies the sharing_code belongs to a valid wishlist but fails to validate that the specified wishlist_item_id actually belongs to that same wishlist. This allows an attacker to supply a valid sharing_code from wishlist A with an item ID from the victim's wishlist B, bypassing ownership checks. The vulnerability is classified as CWE-862 (Missing Authorization), indicating the system fails to enforce authorization policies before performing sensitive operations. The reuse of the victim's stored buyRequest data during import is the attack vector for escalating to custom option disclosure and, when file uploads are involved, cross-user file access due to the download endpoint not being bound to the file owner.
RemediationAI
Magento LTS users should upgrade to version 20.17.0 or later immediately to patch the authorization bypass. The vendor fix verifies that wishlist_item_id belongs to the shared wishlist referenced by the sharing_code before processing add-to-cart requests, eliminating the IDOR condition. For users unable to immediately upgrade, implement network-level or application-level mitigations: restrict access to the shared wishlist add-to-cart endpoint (typically /wishlist/shared/add/) to authenticated users only via Web Application Firewall rules, monitor for suspicious patterns of wishlist_item_id enumeration or mismatches between sharing_code and item ownership, and audit wishlist sharing logs for cross-account item imports. If custom options with file uploads are in use, additionally verify file download endpoints enforce ownership checks (not part of this CVE but a correlated risk). Note that these mitigations do not address the underlying logic flaw and should be treated as temporary controls pending patching. Reference the OpenMage security advisory at https://github.com/OpenMage/magento-lts/security/advisories/GHSA-665x-ppc4-685w for detailed patch release notes.
Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr
Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a
Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J
Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote
Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar
Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Ma
Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Window
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and pos
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23903
GHSA-665x-ppc4-685w