{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14381?format=json","vulnerability_id":"VCID-hyhx-vf5r-23ca","summary":"Cross-Site Request Forgery (CSRF)\nA Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series to allows a remote attacker to hijack the authentication of Administrators and delete Administrators via a specially crafted web page.","aliases":[{"alias":"CVE-2021-20842"},{"alias":"GHSA-m9hv-qmqh-33qh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63055?format=json","purl":"pkg:composer/ec-cube/ec-cube@2.17.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kjhz-q6aw-4uhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ec-cube/ec-cube@2.17.2"},{"url":"http://public2.vulnerablecode.io/api/packages/55413?format=json","purl":"pkg:composer/ec-cube/ec-cube@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4ve8-yvzz-4qd6"},{"vulnerability":"VCID-7eg3-payv-kbde"},{"vulnerability":"VCID-cqza-hfjv-fubk"},{"vulnerability":"VCID-k8vj-fsux-gkhe"},{"vulnerability":"VCID-kjhz-q6aw-4uhx"},{"vulnerability":"VCID-rjm5-yuee-k3g5"},{"vulnerability":"VCID-x8mj-q2mx-pfcp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ec-cube/ec-cube@3.0.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55411?format=json","purl":"pkg:composer/ec-cube/ec-cube@2.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kj3-cmf1-s3dq"},{"vulnerability":"VCID-hyhx-vf5r-23ca"},{"vulnerability":"VCID-kjhz-q6aw-4uhx"},{"vulnerability":"VCID-pwa6-uya4-jyc8"},{"vulnerability":"VCID-xedu-tupx-8yc7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ec-cube/ec-cube@2.11.0"},{"url":"http://public2.vulnerablecode.io/api/packages/58619?format=json","purl":"pkg:composer/ec-cube/ec-cube@2.17.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9bdg-6yj2-5bcw"},{"vulnerability":"VCID-hyhx-vf5r-23ca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ec-cube/ec-cube@2.17.1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-20842","reference_id":"","reference_type":"","scores":[{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28689","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-20842"},{"reference_url":"https://jvn.jp/en/jp/JVN75444925/index.html","reference_id":"","reference_type":"","scores":[],"url":"https://jvn.jp/en/jp/JVN75444925/index.html"},{"reference_url":"https://www.ec-cube.net/info/weakness/20211111","reference_id":"","reference_type":"","scores":[],"url":"https://www.ec-cube.net/info/weakness/20211111"},{"reference_url":"https://www.ec-cube.net/info/weakness/20211111/","reference_id":"","reference_type":"","scores":[],"url":"https://www.ec-cube.net/info/weakness/20211111/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20842","reference_id":"CVE-2021-20842","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20842"},{"reference_url":"https://github.com/advisories/GHSA-m9hv-qmqh-33qh","reference_id":"GHSA-m9hv-qmqh-33qh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m9hv-qmqh-33qh"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":352,"name":"Cross-Site Request Forgery (CSRF)","description":"The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hyhx-vf5r-23ca"}