23 matches found
CVE-2021-36031
CVE-2021-36031 is a path-traversal vulnerability in Magento Commerce affecting versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The issue allows an attacker with admin privileges to trigger remote code execution via the theme[preview_image] parameter. The connected d...
CVE-2021-36022
Magento Commerce is affected by an XML Injection vulnerability in the Widgets Update Layout across versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The underlying issue allows an attacker with admin privileges to trigger a crafted script that achieves remote code exe...
CVE-2021-36044
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability that allows an unauthenticated attacker to cause a server-side denial-of-service via a GraphQL field. The issue is rooted in input validation an...
CVE-2021-36026
Magento Commerce stored cross-site scripting (XSS) in the customer address upload feature affects Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The vulnerability allows an attacker to inject malicious JavaScript into vulnerable form fields, which ...
CVE-2021-36029
Magento Commerce vulnerabilities (CVE-2021-36029) affect versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The issue is improper authorization that could allow an attacker with admin privileges to perform remote code execution. Connected advisories confirm this is a Magento...
CVE-2021-36020
Magento Commerce versions 2.4.2 and earlier (including 2.4.2-p1 and 2.3.7 and earlier) are affected by an XML Injection vulnerability in the City field that allows unauthenticated remote code execution. The issue is triggered by a specially crafted input and can compromise the server. Public refe...
CVE-2021-36024
CVE-2021-36024 affects Magento Commerce 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The root cause is Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint, enabling an attacker with admin privileges to upload a crafted file to achieve ...
CVE-2021-36041
CVE-2021-36041 affects Magento Commerce; versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are vulnerable to improper input validation. An attacker with admin privileges can upload a crafted file in the pub/media directory to achieve remote code execution. Documented i...
CVE-2021-36012
CVE-2021-36012 describes a business-logic flaw in Magento Commerce’s placeOrder GraphQL mutation where an authenticated attacker can alter the price of an item, affecting Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The vulnerability stems from a...
CVE-2021-36035
CVE-2021-36035 affects Magento Commerce (2.4.2 and earlier; 2.4.2-p1 and earlier; 2.3.7 and earlier). The root cause is improper input validation in the Magento Stock Media flow, allowing an attacker with admin privileges to send a crafted request to the Adobe Stock API and achieve remote code ex...
CVE-2021-36033
CVE-2021-36033 refers to an XML Injection in the Magento Commerce Widgets Module. Affected software includes Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The vulnerability allows an attacker with administrative privileges to submit specially crafted XM...
CVE-2021-36032
Magento Commerce is affected by CVE-2021-36032, an improper input validation vulnerability leading to an insecure direct object reference in the V1/customers/me endpoint. The issue allows an authenticated attacker to access information and escalate privileges within Magento Commerce versions 2.4....
CVE-2021-36042
Magento Commerce CVE-2021-36042 describes an improper input validation vulnerability in the API File Option Upload Extension. A user with Admin privileges can upload unrestricted files, enabling remote code execution. Affected versions include 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 an...
CVE-2021-36034
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability that allows remote code execution via a specially crafted file uploaded by an attacker with admin privileges. The issue stems from insufficient ...
CVE-2021-36038
Magento Commerce prior to 2.4.3 and 2.3.x are affected by CVE-2021-36038 due to an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could use this vulnerability to disclose sensitive information. Affected versions include 2.4.2 and earlier, 2.4.2-p1 a...
CVE-2021-36040
CVE-2021-36040 affects Magento Commerce: versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The issue is improper input validation that allows an attacker with admin privileges to upload a specially crafted file and bypass file extension restrictions, potentially enabl...
CVE-2021-36027
Magento Commerce’s CVE-2021-36027 describes a stored XSS in form fields affecting Magento Community/Commerce editions prior to certain patched releases. Affected versions include 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The vulnerability allows an attacker to inject malicio...
CVE-2021-36039
CVE-2021-36039 affects Magento Commerce: improper input validation via the quoteId parameter can lead to information disclosure. Affected: Magento Commerce editions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The vulnerability is described as allowing an attacker to disclose s...
CVE-2021-36037
CVE-2021-36037 affects Magento Commerce: Magento Commerce 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are impacted by an improper authorization vulnerability that could allow an authenticated attacker to obtain sensitive information disclosure . The issue is described in ...
CVE-2021-36030
Magento Commerce before 2.4.2-p1 and 2.3.7 (and earlier 2.4.2) contain an improper input validation flaw during checkout that can let an unauthenticated attacker alter item prices. This is documented across multiple sources (NVD entry CVE-2021-36030, GHSA/RHFF-65HP-55RW, OSV, and related advisori...
CVE-2021-36028
CVE-2021-36028 (Magento Commerce) is an XML Injection vulnerability affecting Magento versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The root cause is XML injection when saving a configurable product. An attacker with admin privileges can trigger a crafted script to achi...
CVE-2021-36043
CVE-2021-36043 affects Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The root cause is a blind SSRF in the bundled dotmailer extension, which an attacker with admin privileges could abuse to achieve remote code execution if Redis is enabled. Evidence fr...
CVE-2021-36025
Magento Commerce is affected by an improper input- validation vulnerability in the customer-details save flow. Affected: Magento Commerce v2.4.2 and earlier, v2.4.2-p1 and earlier, and v2.3.7 and earlier. Root cause: improper input validation when saving a customer’s details with a specially craf...