Magento Commerce Security Vulnerabilities and Issues — Magento Commerce CVE List

Lucene search

AdobeMagento Commerce

9 matches found

CVE•added 2023/03/27 9:15 p.m.•254 views

CVE-2023-22247

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of t...

7.5CVSS7.7AI score0.00736EPSS

CVE•added 2020/11/09 1:15 a.m.•194 views

CVE-2020-24400

Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.

7.1CVSS6.6AI score0.00189EPSS

CVE•added 2023/06/15 7:15 p.m.•76 views

CVE-2023-22248

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user's data. Exploitation of this iss...

7.5CVSS7.3AI score0.00145EPSS

CVE•added 2021/09/01 3:15 p.m.•61 views

CVE-2021-36031

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the theme[preview_image] parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.

7.2CVSS7.3AI score0.1031EPSS

CVE•added 2021/09/01 3:15 p.m.•52 views

CVE-2021-36044

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field.

7.5CVSS7.4AI score0.02345EPSS

CVE•added 2021/02/11 8:15 p.m.•48 views

CVE-2021-21032

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.

7.5CVSS5.3AI score0.00159EPSS

CVE•added 2021/06/28 2:15 p.m.•43 views

CVE-2021-28584

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console i...

7.2CVSS5.9AI score0.00779EPSS

CVE•added 2021/09/01 3:15 p.m.•43 views

CVE-2021-36030

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items.

7.5CVSS7.5AI score0.01428EPSS

CVE•added 2021/06/28 2:15 p.m.•39 views

CVE-2021-28583

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources.

7.5CVSS4.3AI score0.00531EPSS