Magento Commerce Security Vulnerabilities and Issues — Magento Commerce CVE List

Lucene search

AdobeMagento Commerce

7 matches found

CVE•added 2022/08/16 9:15 p.m.•81 views

CVE-2022-34254

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could be abused by an attacker to inject malicious scripts into the vulnerable endpoint...

8.8CVSS8AI score0.00855EPSS

CVE•added 2022/08/16 9:15 p.m.•74 views

CVE-2022-34255

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeove...

8.8CVSS8.6AI score0.00627EPSS

CVE•added 2021/02/11 8:15 p.m.•60 views

CVE-2021-21015

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is requ...

8.5CVSS8.1AI score0.0471EPSS

CVE•added 2021/01/13 11:15 p.m.•52 views

CVE-2021-21013

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's...

8.1CVSS7.5AI score0.00645EPSS

CVE•added 2021/02/11 8:15 p.m.•49 views

CVE-2021-21030

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue...

8.1CVSS7.3AI score0.06281EPSS

CVE•added 2021/09/01 3:15 p.m.•45 views

CVE-2021-36032

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the V1/customers/me endpoint to achieve information exposure and pri...

8.8CVSS8.3AI score0.00873EPSS

CVE•added 2021/09/01 3:15 p.m.•42 views

CVE-2021-36043

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled.

8CVSS7.1AI score0.0261EPSS