CVE-2021-21029

🗓️ 11 Feb 2021 19:29:32Reported by adobeType

cve🔗 web.nvd.nist.gov📰️ 5 Media mentions👁 82 Views🌐 WEB

Magento versions 2.4.1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability

Reporter	Title	Published	Views	Family All 13
BDU FSTEC	The vulnerability of the Magento Commerce software platform for developing and managing online stores stems from the lack of protective measures for the website structure, allowing attackers to execute arbitrary code.	25 Mar 202100:00	–	bdu_fstec
Circl	CVE-2021-21029	11 Feb 202122:47	–	circl
CNNVD	Adobe Magento 跨站脚本漏洞	9 Feb 202100:00	–	cnnvd
CNVD	Adobe Magento Cross-Site Scripting Vulnerability (CNVD-2021-13918)	10 Feb 202100:00	–	cnvd
Check Point Advisories	Adobe Magento Commerce Reflected Cross Site Scripting (CVE-2021-21029)	22 Feb 202200:00	–	checkpoint_advisories
Cvelist	CVE-2021-21029 Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution	11 Feb 202119:29	–	cvelist
Github Security Blog	Magento Reflected Cross-site Scripting vulnerability via 'file' parameter	24 May 202217:41	–	github
NVD	CVE-2021-21029	11 Feb 202120:15	–	nvd
OSV	BIT-MAGENTO-2021-21029 Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution	6 Mar 202410:59	–	osv
OSV	GHSA-JWXH-WJ79-CCM6 Magento Reflected Cross-site Scripting vulnerability via 'file' parameter	24 May 202217:41	–	osv

NVD

Vulners

Node

magento magentoRange<2.3.6commerce

magento magentoRange<2.3.6open_source

magento magentoMatch2.3.6-commerce

magento magentoMatch2.3.6-open_source

magento magentoMatch2.4.0-commerce

magento magentoMatch2.4.0-open_source

magento magentoMatch2.4.0p1commerce

magento magentoMatch2.4.0p1open_source

magento magentoMatch2.4.1-commerce

magento magentoMatch2.4.1-open_source

[
  {
    "product": "Magento Commerce",
    "vendor": "Adobe",
    "versions": [
      {
        "lessThanOrEqual": "2.4.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "2.4.0-p1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "2.3.6",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "None",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
helpx	www.helpx.adobe.com/security/products/magento/apsb21-08.html

Parameter	Position	Path	Description	CWE
file	path	index.php/admin/admin/system_design_theme/downloadCss/theme_id/1/file/PHNjcmlwdD5hbGVydCgnWFNTIGJ5IFNFQyBDb25zdWx0Jyk8L3NjcmlwdD4%3D/key/0f5d20e8559bb6f45e4840ceb6231870f3a8fe122698b37c32ceabbb33595813	Reflected XSS via the file parameter in Magento admin theme download path (requires admin path and secret key when enabled).	CWE-79
key	path	index.php/admin/admin/system_design_theme/downloadCss/theme_id/1/file/PHNjcmlwdD5hbGVydCgnWFNTIGJ5IFNFQyBDb25zdWx0Jyk8L3NjcmlwdD4%3D/key/0f5d20e8559bb6f45e4840ceb6231870f3a8fe122698b37c32ceabbb33595813	Reflected XSS via the file parameter in Magento admin theme download path (requires admin path and secret key when enabled).	CWE-79
file	path	index.php/admin/admin/system_design_theme/downloadCss/theme_id/1/file/PHNjcmlwdD5hbGVydCgnWFNTIGJ5IFNFQyBDb25zdWx0Jyk8L3NjcmlwdD4%3D/	Reflected XSS via the file parameter in Magento admin theme download path (no secret key in URL).	CWE-79

17 Jun 2026 03:34Current

4.8Medium risk

Vulners AI Score4.8

CVSS 23.5

CVSS 3.14.8

EPSS0.84674

CWE-79