Multiple vulnerabilities in Magento Commerce and Magento Open Source
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 26 |
| CVE-ID | CVE-2021-36012 CVE-2021-36035 CVE-2021-36033 CVE-2021-36028 CVE-2021-36020 CVE-2021-36043 CVE-2021-36039 CVE-2021-36023 CVE-2021-36022 CVE-2021-36031 CVE-2021-36042 CVE-2021-36041 CVE-2021-36040 CVE-2021-36034 CVE-2021-36026 CVE-2021-36025 CVE-2021-36024 CVE-2021-36021 CVE-2021-36038 CVE-2021-36030 CVE-2021-36032 CVE-2021-36044 CVE-2021-36037 CVE-2021-36029 CVE-2021-36036 CVE-2021-36027 |
| CWE-ID | CWE-840 CWE-20 CWE-91 CWE-918 CWE-285 CWE-78 CWE-22 CWE-79 CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Adobe Commerce (formerly Magento Commerce) Web applications / E-Commerce systems Magento Open Source Web applications / E-Commerce systems |
| Vendor | Magento, Inc |
Security Bulletin
This security bulletin contains information about 26 vulnerabilities.
1) Business Logic Errors
EUVDB-ID: #VU55738
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36012
CWE-ID:
CWE-840 - Business Logic Errors (3.0)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to logical errors. A remote authenticated attacker can bypass security features on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU55752
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36035
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) XML injection
EUVDB-ID: #VU55765
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36033
CWE-ID:
CWE-91 - XML Injection
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing XML data. A remote administrator can pass specially crafted XML data to the application and perform arbitrary actions on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) XML injection
EUVDB-ID: #VU55764
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36028
CWE-ID:
CWE-91 - XML Injection
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing XML data. A remote administrator can pass specially crafted XML data to the application and perform arbitrary actions on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) XML injection
EUVDB-ID: #VU55763
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36020
CWE-ID:
CWE-91 - XML Injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper input validation when processing XML data. A remote unauthenticated attacker can pass specially crafted XML data to the application and perform arbitrary actions on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU55761
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36043
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper Authorization
EUVDB-ID: #VU55759
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36039
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to insufficient authorization checks. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) OS Command Injection
EUVDB-ID: #VU55758
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36023
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) OS Command Injection
EUVDB-ID: #VU55757
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36022
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Path traversal
EUVDB-ID: #VU55756
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36031
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote administrator can send a specially crafted HTTP request and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Input validation error
EUVDB-ID: #VU55755
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36042
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Input validation error
EUVDB-ID: #VU55754
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36041
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Input validation error
EUVDB-ID: #VU55753
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36040
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU55751
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36034
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Stored cross-site scripting
EUVDB-ID: #VU55739
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36026
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Input validation error
EUVDB-ID: #VU55750
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36025
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Input validation error
EUVDB-ID: #VU55749
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36024
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Input validation error
EUVDB-ID: #VU55748
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36021
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can pass specially crafted input to the application and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Input validation error
EUVDB-ID: #VU55747
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36038
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated attacker can pass specially crafted input to the application and bypass security features on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Input validation error
EUVDB-ID: #VU55746
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36030
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and bypass security features on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Input validation error
EUVDB-ID: #VU55745
Risk: Medium
CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36032
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated attacker can pass specially crafted input to the application and escalate privileges on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Input validation error
EUVDB-ID: #VU55744
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36044
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Improper Authorization
EUVDB-ID: #VU55743
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36037
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to insufficient authorization checks. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the system.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Improper Authorization
EUVDB-ID: #VU55742
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36029
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to insufficient authorization checks. A remote administrator can bypass implemented security restrictions and gain unauthorized access to the application.
Install updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Improper access control
EUVDB-ID: #VU55741
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36036
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote administrator can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Stored cross-site scripting
EUVDB-ID: #VU55740
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36027
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAdobe Commerce (formerly Magento Commerce): 2.3.0 - 2.4.2-p1
Magento Open Source: 2.3.0 - 2.4.2-p1
External linkshttp://helpx.adobe.com/security/products/magento/apsb21-64.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
