32 matches found
CVE-2022-24093
Summary: CVE-2022-24093 affects Adobe Commerce and Magento Open Source, with an improper input validation vulnerability that could enable post-authentication arbitrary code execution. Affected versions (per sources): Adobe Commerce 2.4.3-p1 and earlier; 2.3.7-p2 and earlier (and related 2.x lines...
CVE-2023-22247
Adobe Commerce (Magento) XML Injection vulnerability CVE-2023-22247 affects 2.4.4-p2 and earlier, and 2.4.5-p1 and earlier. An unauthenticated attacker can force the application to make arbitrary requests by injecting URLs, potentially enabling arbitrary file system read. Impact is high for confi...
CVE-2023-22249
Adobe Commerce (Magento) stores a Cross-Site Scripting (XSS) vulnerability affecting versions 2.4.4-p2 and earlier and 2.4.5-p1 and earlier. The issue involves vulnerable form fields that can inject malicious JavaScript and execute in a user’s browser. The CVSS vector indicates a high-privileges ...
CVE-2022-35698
The CVE-2022-35698 entry concerns a Stored Cross-Site Scripting vulnerability in Adobe Commerce and Magento Open Source, affecting Adobe Commerce 2.4.4-p1 and earlier and 2.4.5 and earlier. The issue can allow post-authentication arbitrary code execution, with exploitation described as not requir...
CVE-2022-35689
Adobe Commerce and Magento Open Source are affected by CVE-2022-35689: an Improper Access Control flaw in Adobe Commerce versions 2.4.4-p1 and earlier, and 2.4.5 and earlier, could bypass security features and affect availability of a user feature. Exploitation is possible without user interactio...
CVE-2021-36031
CVE-2021-36031 is a path-traversal vulnerability in Magento Commerce affecting versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The issue allows an attacker with admin privileges to trigger remote code execution via the theme[preview_image] parameter. The connected d...
CVE-2021-39864
CVE-2021-39864 is a CSRF vulnerability in Adobe Commerce / Magento Open Source via a Wishlist Share Link. Affected: Adobe Commerce versions 2.4.2-p2 and earlier, 2.4.3 and earlier, 2.3.7p1 and earlier. Impact: unauthenticated attacker could cause unauthorized additions to a customer’s cart withou...
CVE-2021-36022
Magento Commerce is affected by an XML Injection vulnerability in the Widgets Update Layout across versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The underlying issue allows an attacker with admin privileges to trigger a crafted script that achieves remote code exe...
CVE-2021-36044
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability that allows an unauthenticated attacker to cause a server-side denial-of-service via a GraphQL field. The issue is rooted in input validation an...
CVE-2021-36026
Magento Commerce stored cross-site scripting (XSS) in the customer address upload feature affects Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The vulnerability allows an attacker to inject malicious JavaScript into vulnerable form fields, which ...
CVE-2021-36029
Magento Commerce vulnerabilities (CVE-2021-36029) affect versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The issue is improper authorization that could allow an attacker with admin privileges to perform remote code execution. Connected advisories confirm this is a Magento...
CVE-2021-21012
CVE-2021-21012 is an IDOR in Magento checkout that, per multiple documents, affects Magento Open Source and Commerce variants up to 2.4.1 (and earlier) and 2.3.6 (and earlier), enabling potentially sensitive information disclosure via insecure direct object references in the checkout module. The ...
CVE-2023-22250
Adobe Commerce Open Source/Commerce (Magento) suffers an Improper Access Control vulnerability (CVE-2023-22250) affecting 2.4.4-p2 and earlier and 2.4.5-p1 and earlier. The issue could allow a security feature bypass and impact availability of a user’s minor feature without user interaction. CVSS...
CVE-2023-22251
CVE-2023-22251 describes an Incorrect Authorization flaw impacting Adobe Commerce / Magento Open Source (notably versions 2.4.4-p2 and earlier, 2.4.5-p1 and earlier). The issue allows a low-privileged authenticated attacker to cause a minor information disclosure . Core details across connected d...
CVE-2021-36020
Magento Commerce versions 2.4.2 and earlier (including 2.4.2-p1 and 2.3.7 and earlier) are affected by an XML Injection vulnerability in the City field that allows unauthenticated remote code execution. The issue is triggered by a specially crafted input and can compromise the server. Public refe...
CVE-2021-36024
CVE-2021-36024 affects Magento Commerce 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The root cause is Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint, enabling an attacker with admin privileges to upload a crafted file to achieve ...
CVE-2021-36041
CVE-2021-36041 affects Magento Commerce; versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are vulnerable to improper input validation. An attacker with admin privileges can upload a crafted file in the pub/media directory to achieve remote code execution. Documented i...
CVE-2021-36012
CVE-2021-36012 describes a business-logic flaw in Magento Commerce’s placeOrder GraphQL mutation where an authenticated attacker can alter the price of an item, affecting Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The vulnerability stems from a...
CVE-2021-36035
CVE-2021-36035 affects Magento Commerce (2.4.2 and earlier; 2.4.2-p1 and earlier; 2.3.7 and earlier). The root cause is improper input validation in the Magento Stock Media flow, allowing an attacker with admin privileges to send a crafted request to the Adobe Stock API and achieve remote code ex...
CVE-2021-36033
CVE-2021-36033 refers to an XML Injection in the Magento Commerce Widgets Module. Affected software includes Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The vulnerability allows an attacker with administrative privileges to submit specially crafted XM...
CVE-2021-36027
Magento Commerce’s CVE-2021-36027 describes a stored XSS in form fields affecting Magento Community/Commerce editions prior to certain patched releases. Affected versions include 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The vulnerability allows an attacker to inject malicio...
CVE-2021-36042
Magento Commerce CVE-2021-36042 describes an improper input validation vulnerability in the API File Option Upload Extension. A user with Admin privileges can upload unrestricted files, enabling remote code execution. Affected versions include 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 an...
CVE-2021-36032
Magento Commerce is affected by CVE-2021-36032, an improper input validation vulnerability leading to an insecure direct object reference in the V1/customers/me endpoint. The issue allows an authenticated attacker to access information and escalate privileges within Magento Commerce versions 2.4....
CVE-2021-36030
Magento Commerce before 2.4.2-p1 and 2.3.7 (and earlier 2.4.2) contain an improper input validation flaw during checkout that can let an unauthenticated attacker alter item prices. This is documented across multiple sources (NVD entry CVE-2021-36030, GHSA/RHFF-65HP-55RW, OSV, and related advisori...
CVE-2021-36034
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability that allows remote code execution via a specially crafted file uploaded by an attacker with admin privileges. The issue stems from insufficient ...
CVE-2021-36038
Magento Commerce prior to 2.4.3 and 2.3.x are affected by CVE-2021-36038 due to an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could use this vulnerability to disclose sensitive information. Affected versions include 2.4.2 and earlier, 2.4.2-p1 a...
CVE-2021-36040
CVE-2021-36040 affects Magento Commerce: versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The issue is improper input validation that allows an attacker with admin privileges to upload a specially crafted file and bypass file extension restrictions, potentially enabl...
CVE-2021-36037
CVE-2021-36037 affects Magento Commerce: Magento Commerce 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are impacted by an improper authorization vulnerability that could allow an authenticated attacker to obtain sensitive information disclosure . The issue is described in ...
CVE-2021-36039
CVE-2021-36039 affects Magento Commerce: improper input validation via the quoteId parameter can lead to information disclosure. Affected: Magento Commerce editions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The vulnerability is described as allowing an attacker to disclose s...
CVE-2021-36028
CVE-2021-36028 (Magento Commerce) is an XML Injection vulnerability affecting Magento versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The root cause is XML injection when saving a configurable product. An attacker with admin privileges can trigger a crafted script to achi...
CVE-2021-36043
CVE-2021-36043 affects Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier, and 2.3.7 and earlier. The root cause is a blind SSRF in the bundled dotmailer extension, which an attacker with admin privileges could abuse to achieve remote code execution if Redis is enabled. Evidence fr...
CVE-2021-36025
Magento Commerce is affected by an improper input- validation vulnerability in the customer-details save flow. Affected: Magento Commerce v2.4.2 and earlier, v2.4.2-p1 and earlier, and v2.3.7 and earlier. Root cause: improper input validation when saving a customer’s details with a specially craf...