Vulnerabilites related to adobe - magento_open_source
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the \u0027City\u0027 field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de inyecci\u00f3n XML en el campo \"City\". Un atacante no autenticado puede desencadenar un script especialmente dise\u00f1ado para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36020",
"lastModified": "2024-11-21T06:12:57.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.090",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una Neutralizaci\u00f3n inapropiada de elementos especiales usados en un comando por medio del endpoint de recogida de datos. Un atacante con privilegios de administrador puede cargar un archivo especialmente dise\u00f1ado para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36024",
"lastModified": "2024-11-21T06:12:58.507",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.213",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:13
Severity ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada por medio del par\u00e1metro \"quoteId\". Un atacante puede abusar de esta vulnerabilidad para divulgar informaci\u00f3n confidencial"
}
],
"id": "CVE-2021-36039",
"lastModified": "2024-11-21T06:13:00.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2021-09-01T15:15:10.030",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-15 15:15
Modified
2024-11-21 06:20
Severity ?
Summary
Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-86.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-86.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | commerce | * | |
| adobe | commerce | 2.3.7 | |
| adobe | commerce | 2.4.2 | |
| adobe | commerce | 2.4.2 | |
| adobe | commerce | 2.4.2 | |
| adobe | commerce | 2.4.3 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.3.7 | |
| adobe | magento_open_source | 2.4.2 | |
| adobe | magento_open_source | 2.4.2 | |
| adobe | magento_open_source | 2.4.2 | |
| adobe | magento_open_source | 2.4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7005F6E-E43D-4EA5-A6E8-24A0820E6877",
"versionEndIncluding": "2.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:*",
"matchCriteriaId": "9F471E19-8AFE-4A6C-88EA-DF94428518F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "26B82CF0-829C-4CC4-B5FD-BD783B0C13BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "496DE1BC-DC23-4873-9A13-E166A267CC13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.2:p2:*:*:*:*:*:*",
"matchCriteriaId": "95AA877E-D67C-42B0-8673-EB7C1CFCE138",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9BB93DC1-7F58-435F-A54D-3E0C9C6AD811",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5327705-B4FC-4774-8387-E4F164196A7A",
"versionEndIncluding": "2.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.3.7:p1:*:*:*:*:*:*",
"matchCriteriaId": "A9083101-E776-41CA-9DC9-455AFEC577F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "585335C3-60B7-48AA-98AF-CF144EB9C66D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p2:*:*:*:*:*:*",
"matchCriteriaId": "2B0BD7FD-BEC5-4953-B4E2-15AC65A11BA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5DFABFE3-ECCA-4CE5-87D9-E6895A32329F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation."
},
{
"lang": "es",
"value": "Adobe Commerce versiones 2.4.2-p2 (y anteriores), 2.4.3 (y anteriores) y 2.3.7p1 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de tipo cross-site request forgery (CSRF) por medio de un Enlace para Compartir la Lista de Deseos. Una explotaci\u00f3n con \u00e9xito podr\u00eda conllevar a una adici\u00f3n no autorizada al carrito del cliente por parte de un atacante no autenticado. No es requerido un acceso a la consola de administraci\u00f3n para una explotaci\u00f3n con \u00e9xito"
}
],
"id": "CVE-2021-39864",
"lastModified": "2024-11-21T06:20:25.057",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2021-10-15T15:15:08.460",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-86.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-86.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de autorizaci\u00f3n inapropiada. Un atacante con privilegios de administrador podr\u00eda aprovechar esta vulnerabilidad para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36029",
"lastModified": "2024-11-21T06:12:59.107",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.513",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-27 21:15
Modified
2024-11-21 07:44
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb23-17.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb23-17.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | commerce | * | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.5 | |
| adobe | commerce | 2.4.5 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.5 | |
| adobe | magento_open_source | 2.4.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76AAB57F-7723-44E0-B91A-9F120C849AC4",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D258D9EF-94FB-41F0-A7A5-7F66FA7A0055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "4E5CF6F0-2388-4D3F-8FE1-43B8AF148564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "D6D6F1A7-ABB5-4EDC-9EA8-98B74518847A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "9B07F7B2-E915-4EFF-8FFC-91143CEF082E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "7F5E9DB6-1386-4274-8270-2FE0F0CAF7FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBE7069F-C3EE-46F1-85C4-4EC858C49E07",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D6340732-571E-468C-9834-A8B2FCB5F5B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "E2D8E4EA-9756-4F9B-BB73-A3EE9C3006FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "6943D30A-E4A8-47E9-B510-40C2950021D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "684E82D1-7BE3-4D47-9B19-935ED6EC6D62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "80BA2D10-0D51-4E37-A40E-3F8903AE9374",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction."
}
],
"id": "CVE-2023-22247",
"lastModified": "2024-11-21T07:44:23.737",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-27T21:15:10.727",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada. Un atacante con privilegios de administrador podr\u00eda hacer una petici\u00f3n dise\u00f1ada a la API de Adobe Stock para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36035",
"lastModified": "2024-11-21T06:12:59.820",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.860",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada. Un atacante autenticado puede desencadenar una referencia directa a un objeto inseguro en el endpoint \"V1/customers/me\" para lograr la exposici\u00f3n de informaci\u00f3n y la escalada de privilegios"
}
],
"id": "CVE-2021-36032",
"lastModified": "2024-11-21T06:12:59.460",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.687",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:13
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada. Un atacante con privilegios de administrador puede subir un archivo especialmente dise\u00f1ado para omitir las restricciones de la extensi\u00f3n de archivos y podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36040",
"lastModified": "2024-11-21T06:13:00.433",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:10.113",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada. Un atacante con privilegios de administrador puede cargar un archivo especialmente dise\u00f1ado para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36034",
"lastModified": "2024-11-21T06:12:59.703",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.800",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:13
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de tipo SSRF ciega en la extensi\u00f3n dotmailer incluida. Un atacante con privilegios de administrador podr\u00eda abusar de esto para lograr una ejecuci\u00f3n de c\u00f3digo remota si Redis est\u00e1 habilitado"
}
],
"id": "CVE-2021-36043",
"lastModified": "2024-11-21T06:13:00.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:10.293",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-27 21:15
Modified
2024-11-21 07:44
Severity ?
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb23-17.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb23-17.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | commerce | * | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.5 | |
| adobe | commerce | 2.4.5 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.5 | |
| adobe | magento_open_source | 2.4.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76AAB57F-7723-44E0-B91A-9F120C849AC4",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D258D9EF-94FB-41F0-A7A5-7F66FA7A0055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "4E5CF6F0-2388-4D3F-8FE1-43B8AF148564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "D6D6F1A7-ABB5-4EDC-9EA8-98B74518847A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "9B07F7B2-E915-4EFF-8FFC-91143CEF082E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "7F5E9DB6-1386-4274-8270-2FE0F0CAF7FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBE7069F-C3EE-46F1-85C4-4EC858C49E07",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D6340732-571E-468C-9834-A8B2FCB5F5B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "E2D8E4EA-9756-4F9B-BB73-A3EE9C3006FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "6943D30A-E4A8-47E9-B510-40C2950021D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "684E82D1-7BE3-4D47-9B19-935ED6EC6D62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "80BA2D10-0D51-4E37-A40E-3F8903AE9374",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
}
],
"id": "CVE-2023-22249",
"lastModified": "2024-11-21T07:44:24.003",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "psirt@adobe.com",
"type": "Primary"
}
]
},
"published": "2023-03-27T21:15:10.797",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de Salto de Ruta por medio del par\u00e1metro \"theme[preview_image]\". Un atacante con privilegios de administrador podr\u00eda aprovechar esta vulnerabilidad para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36031",
"lastModified": "2024-11-21T06:12:59.347",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2021-09-01T15:15:09.627",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:13
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the 'pub/media` directory could lead to remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the \u0027pub/media` directory could lead to remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada. Un atacante con privilegios de administrador podr\u00eda cargar un archivo especialmente dise\u00f1ado en el directorio \"pub/media\" que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36041",
"lastModified": "2024-11-21T06:13:00.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:10.173",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-14 20:15
Modified
2024-11-21 07:11
Severity ?
Summary
Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb22-48.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb22-48.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | commerce | * | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.5 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76AAB57F-7723-44E0-B91A-9F120C849AC4",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D258D9EF-94FB-41F0-A7A5-7F66FA7A0055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "4E5CF6F0-2388-4D3F-8FE1-43B8AF148564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "9B07F7B2-E915-4EFF-8FFC-91143CEF082E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBE7069F-C3EE-46F1-85C4-4EC858C49E07",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D6340732-571E-468C-9834-A8B2FCB5F5B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "E2D8E4EA-9756-4F9B-BB73-A3EE9C3006FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "684E82D1-7BE3-4D47-9B19-935ED6EC6D62",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user\u0027s minor feature. Exploitation of this issue does not require user interaction."
},
{
"lang": "es",
"value": "Adobe Commerce versiones 2.4.4-p1 (y anteriores) y 2.4.5 (y anteriores) est\u00e1n afectadas por una vulnerabilidad de Control de Acceso Inapropiado que podr\u00eda resultar en una omisi\u00f3n de la funcionalidad de Seguridad. Un atacante podr\u00eda aprovechar esta vulnerabilidad para afectar a la disponibilidad de una caracter\u00edstica menor de un usuario. No es requerida una interacci\u00f3n del usuario para la explotaci\u00f3n de este problema"
}
],
"id": "CVE-2022-35689",
"lastModified": "2024-11-21T07:11:28.990",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "psirt@adobe.com",
"type": "Primary"
}
]
},
"published": "2022-10-14T20:15:10.223",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-27 21:15
Modified
2024-11-21 07:44
Severity ?
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb23-17.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb23-17.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | commerce | * | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.5 | |
| adobe | commerce | 2.4.5 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.5 | |
| adobe | magento_open_source | 2.4.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76AAB57F-7723-44E0-B91A-9F120C849AC4",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D258D9EF-94FB-41F0-A7A5-7F66FA7A0055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "4E5CF6F0-2388-4D3F-8FE1-43B8AF148564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "D6D6F1A7-ABB5-4EDC-9EA8-98B74518847A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "9B07F7B2-E915-4EFF-8FFC-91143CEF082E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "7F5E9DB6-1386-4274-8270-2FE0F0CAF7FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBE7069F-C3EE-46F1-85C4-4EC858C49E07",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D6340732-571E-468C-9834-A8B2FCB5F5B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "E2D8E4EA-9756-4F9B-BB73-A3EE9C3006FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "6943D30A-E4A8-47E9-B510-40C2950021D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "684E82D1-7BE3-4D47-9B19-935ED6EC6D62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "80BA2D10-0D51-4E37-A40E-3F8903AE9374",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure."
}
],
"id": "CVE-2023-22251",
"lastModified": "2024-11-21T07:44:24.210",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "psirt@adobe.com",
"type": "Primary"
}
]
},
"published": "2023-03-27T21:15:10.923",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-12 08:15
Modified
2024-11-21 06:49
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb22-13.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb22-13.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.3.7 | |
| adobe | magento_open_source | 2.3.7 | |
| adobe | magento_open_source | 2.4.3 | |
| adobe | magento_open_source | 2.4.3 | |
| adobe | commerce | * | |
| adobe | commerce | * | |
| adobe | commerce | 2.3.7 | |
| adobe | commerce | 2.3.7 | |
| adobe | commerce | 2.4.3 | |
| adobe | commerce | 2.4.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBBBFA0E-0D8F-4055-B912-13886EF81ADA",
"versionEndExcluding": "2.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B6E6964-140A-4640-AFD0-A237BABFC61F",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.3.7:p1:*:*:*:*:*:*",
"matchCriteriaId": "A9083101-E776-41CA-9DC9-455AFEC577F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.3.7:p2:*:*:*:*:*:*",
"matchCriteriaId": "D4EFC0E8-5DA6-41AF-817F-6C5600C16CCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.3:-:*:*:*:*:*:*",
"matchCriteriaId": "01129B1A-1BEC-4108-920B-B18B57D08D74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "5EBE0746-09A5-4444-9566-B7FCC6369622",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D3D4DD8-EBF6-4281-B103-CB85CFCAA4C0",
"versionEndExcluding": "2.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF96C367-576B-437B-A86C-CB9CA65CB481",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:*",
"matchCriteriaId": "9F471E19-8AFE-4A6C-88EA-DF94428518F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:p2:*:*:*:*:*:*",
"matchCriteriaId": "27E5B990-1E1C-46AC-815F-AF737D211C16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:*",
"matchCriteriaId": "7B503C35-8C90-4A24-8E60-722CDBBF556B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "8A453C85-A14A-47B8-B91D-3906BBE42A78",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution."
},
{
"lang": "es",
"value": "Las versiones 2.4.3-p1 (y anteriores) y 2.3.7-p2 (y anteriores) de Adobe Commerce est\u00e1n afectadas por una vulnerabilidad de validaci\u00f3n de entrada incorrecta. La explotaci\u00f3n de este problema no requiere la interacci\u00f3n del usuario y podr\u00eda dar lugar a una ejecuci\u00f3n de c\u00f3digo arbitrario posterior a la autenticaci\u00f3n."
}
],
"id": "CVE-2022-24093",
"lastModified": "2024-11-21T06:49:47.413",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-12T08:15:12.960",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-13.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-13.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de inyecci\u00f3n XML en el m\u00f3dulo de widgets. Un atacante con privilegios de administrador puede desencadenar un script especialmente dise\u00f1ado para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36033",
"lastModified": "2024-11-21T06:12:59.580",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.743",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:13
Severity ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de autorizaci\u00f3n inapropiada. Un atacante autenticado podr\u00eda aprovechar esta vulnerabilidad para lograr una divulgaci\u00f3n de informaci\u00f3n confidencial"
}
],
"id": "CVE-2021-36037",
"lastModified": "2024-11-21T06:13:00.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2021-09-01T15:15:09.917",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por un error de l\u00f3gica de negocio en la mutaci\u00f3n gr\u00e1fica placeOrder. Un atacante autenticado puede aprovechar esta vulnerabilidad para alterar el precio de un art\u00edculo"
}
],
"id": "CVE-2021-36012",
"lastModified": "2024-11-21T06:12:56.973",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2021-09-01T15:15:09.030",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-840"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de tipo cross-site scripting almacenado en la funci\u00f3n de carga de direcciones de clientes que podr\u00eda ser abusada por un atacante para inyectar scripts maliciosos en campos de formulario vulnerables. El JavaScript malicioso puede ser ejecutado en el navegador de la v\u00edctima cuando \u00e9sta navega a la p\u00e1gina conteniendo el campo vulnerable"
}
],
"id": "CVE-2021-36026",
"lastModified": "2024-11-21T06:12:58.753",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.337",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:13
Severity ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada. Un atacante no autenticado podr\u00eda abusar de esta vulnerabilidad para causar una denegaci\u00f3n de servicio del lado del servidor usando un campo GraphQL"
}
],
"id": "CVE-2021-36044",
"lastModified": "2024-11-21T06:13:00.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2021-09-01T15:15:10.350",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:13
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada en la extensi\u00f3n API File Option Upload. Un atacante con privilegios de administrador puede lograr una carga de archivos sin restricciones, que puede resultar en una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36042",
"lastModified": "2024-11-21T06:13:00.700",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:10.233",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de inyecci\u00f3n XML en el dise\u00f1o de actualizaci\u00f3n de widgets. Un atacante con privilegios de administrador puede desencadenar un script especialmente dise\u00f1ado para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36022",
"lastModified": "2024-11-21T06:12:58.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.150",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-27 21:15
Modified
2024-11-21 07:44
Severity ?
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb23-17.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb23-17.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | commerce | * | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.5 | |
| adobe | commerce | 2.4.5 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.5 | |
| adobe | magento_open_source | 2.4.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76AAB57F-7723-44E0-B91A-9F120C849AC4",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D258D9EF-94FB-41F0-A7A5-7F66FA7A0055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "4E5CF6F0-2388-4D3F-8FE1-43B8AF148564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "D6D6F1A7-ABB5-4EDC-9EA8-98B74518847A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "9B07F7B2-E915-4EFF-8FFC-91143CEF082E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "7F5E9DB6-1386-4274-8270-2FE0F0CAF7FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBE7069F-C3EE-46F1-85C4-4EC858C49E07",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D6340732-571E-468C-9834-A8B2FCB5F5B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "E2D8E4EA-9756-4F9B-BB73-A3EE9C3006FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "6943D30A-E4A8-47E9-B510-40C2950021D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "684E82D1-7BE3-4D47-9B19-935ED6EC6D62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "80BA2D10-0D51-4E37-A40E-3F8903AE9374",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user\u0027s minor feature. Exploitation of this issue does not require user interaction."
}
],
"id": "CVE-2023-22250",
"lastModified": "2024-11-21T07:44:24.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "psirt@adobe.com",
"type": "Primary"
}
]
},
"published": "2023-03-27T21:15:10.860",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:13
Severity ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada en el m\u00f3dulo Multishipping. Un atacante autenticado podr\u00eda aprovechar esta vulnerabilidad para lograr la divulgaci\u00f3n de informaci\u00f3n confidencial"
}
],
"id": "CVE-2021-36038",
"lastModified": "2024-11-21T06:13:00.190",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2021-09-01T15:15:09.977",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can leverage this vulnerability to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer\u0027s details with a specially crafted file. An authenticated attacker with admin privileges can leverage this vulnerability to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada mientras se guardan los datos de un cliente con un archivo especialmente dise\u00f1ado. Un atacante autenticado con privilegios de administrador puede aprovechar esta vulnerabilidad para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36025",
"lastModified": "2024-11-21T06:12:58.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.273",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n Inapropiada de Entrada durante el proceso de compra. Un atacante no autenticado puede aprovechar esta vulnerabilidad para alterar el precio de los art\u00edculos"
}
],
"id": "CVE-2021-36030",
"lastModified": "2024-11-21T06:12:59.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.570",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de tipo cross-site scripting almacenado que podr\u00eda ser abusada por un atacante para inyectar scripts maliciosos en campos de formulario vulnerables. El JavaScript malicioso puede ser ejecutado en el navegador de una v\u00edctima cuando \u00e9sta navega a la p\u00e1gina conteniendo el campo vulnerable"
}
],
"id": "CVE-2021-36027",
"lastModified": "2024-11-21T06:12:58.867",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.393",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-13 23:15
Modified
2024-11-21 05:47
Severity ?
Summary
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-08.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-08.html | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | magento_commerce | * | |
| adobe | magento_commerce | 2.4.0 | |
| adobe | magento_commerce | 2.4.0 | |
| adobe | magento_commerce | 2.4.1 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.0 | |
| adobe | magento_open_source | 2.4.0 | |
| adobe | magento_open_source | 2.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:magento_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1DC7DD78-8F03-48F0-B0B9-CFA2A5688C68",
"versionEndIncluding": "2.3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_commerce:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "929B3E3E-C779-4450-B44A-558A8B558C25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_commerce:2.4.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "4E2DABEE-A259-44AC-894F-030F8B208D2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_commerce:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CE41A2C2-4A58-4AF4-BC43-42DB7E33933C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F4D60F4-33B9-40FE-B165-C049014C49E5",
"versionEndIncluding": "2.3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1B94967-3ADF-4C8E-81B8-BB3D506F415E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "2B32F980-5FA7-455F-8DC0-E6484CD72096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65174537-3A50-4E08-9CBE-9D84B4CC414B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure."
},
{
"lang": "es",
"value": "Las versiones de Magento 2.4.1 (y anteriores), 2.4.0-p1 (y anteriores) y 2.3.6 (y anteriores) son vulnerables a una vulnerabilidad de objeto directo inseguro (IDOR) en el m\u00f3dulo de pago. Una explotaci\u00f3n exitosa podr\u00eda llevar a la divulgaci\u00f3n de informaci\u00f3n sensible"
}
],
"id": "CVE-2021-21012",
"lastModified": "2024-11-21T05:47:24.073",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "psirt@adobe.com",
"type": "Secondary"
}
]
},
"published": "2021-01-13T23:15:14.400",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 15:15
Modified
2024-11-21 06:12
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb21-64.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | * | |
| adobe | adobe_commerce | 2.4.2 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F005E6-8523-49FF-91F7-644BC737DDEF",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "260156B9-9CEF-4732-AD94-7D3CCD784F1D",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "C711D725-10E3-4A9C-AAD8-9B1766CB42F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "052A5E47-66AF-4F60-8949-E2B6CE98AEE9",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ADE9F2A6-575A-48DA-ACE4-B22ABB275B6B",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "8F768F94-34F1-4FB8-8D96-3BBC9D6B8C89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
},
{
"lang": "es",
"value": "Magento Commerce versiones 2.4.2 (y anteriores), versiones 2.4.2-p1 (y anteriores), y versiones 2.3.7 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de inyecci\u00f3n XML cuando se guarda un producto configurable. Un atacante con privilegios de administrador puede desencadenar un script especialmente dise\u00f1ado para lograr una ejecuci\u00f3n de c\u00f3digo remota"
}
],
"id": "CVE-2021-36028",
"lastModified": "2024-11-21T06:12:58.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T15:15:09.453",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-14 20:15
Modified
2024-11-21 07:11
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@adobe.com | https://helpx.adobe.com/security/products/magento/apsb22-48.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpx.adobe.com/security/products/magento/apsb22-48.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| adobe | commerce | * | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.4 | |
| adobe | commerce | 2.4.5 | |
| adobe | magento_open_source | * | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.4 | |
| adobe | magento_open_source | 2.4.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76AAB57F-7723-44E0-B91A-9F120C849AC4",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D258D9EF-94FB-41F0-A7A5-7F66FA7A0055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "4E5CF6F0-2388-4D3F-8FE1-43B8AF148564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "9B07F7B2-E915-4EFF-8FFC-91143CEF082E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBE7069F-C3EE-46F1-85C4-4EC858C49E07",
"versionEndExcluding": "2.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "D6340732-571E-468C-9834-A8B2FCB5F5B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "E2D8E4EA-9756-4F9B-BB73-A3EE9C3006FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.5:-:*:*:*:*:*:*",
"matchCriteriaId": "684E82D1-7BE3-4D47-9B19-935ED6EC6D62",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution."
},
{
"lang": "es",
"value": "Adobe Commerce versiones 2.4.4-p1 (y anteriores) y 2.4.5 (y anteriores) est\u00e1n afectadas por una vulnerabilidad de tipo Cross-site Scripting Almacenado. No es requerida una interacci\u00f3n del usuario para la explotaci\u00f3n de este problema y podr\u00eda resultar en una ejecuci\u00f3n de c\u00f3digo arbitrario posterior a la autenticaci\u00f3n"
}
],
"id": "CVE-2022-35698",
"lastModified": "2024-11-21T07:11:30.073",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "psirt@adobe.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-14T20:15:11.770",
"references": [
{
"source": "psirt@adobe.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html"
}
],
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@adobe.com",
"type": "Primary"
}
]
}
cve-2022-35698
Vulnerability from cvelistv5
Published
2022-10-14 19:48
Modified
2024-09-17 01:16
Severity ?
EPSS score ?
Summary
Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:20.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-10-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Stored XSS Arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2022-35698",
"datePublished": "2022-10-14T19:48:10.464038Z",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-09-17T01:16:34.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36030
Vulnerability from cvelistv5
Published
2021-09-01 14:31
Modified
2024-09-17 03:39
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.434Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:31:19",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Improper Input Validation During Checkout Process Could Lead To Privilege Escalation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36030",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Improper Input Validation During Checkout Process Could Lead To Privilege Escalation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36030",
"datePublished": "2021-09-01T14:31:19.323871Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T03:39:08.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22250
Vulnerability from cvelistv5
Published
2023-03-27 00:00
Modified
2024-08-02 10:07
Severity ?
EPSS score ?
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user\u0027s minor feature. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Improper Access Control Security feature bypass"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22250",
"datePublished": "2023-03-27T00:00:00",
"dateReserved": "2022-12-19T00:00:00",
"dateUpdated": "2024-08-02T10:07:05.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-35689
Vulnerability from cvelistv5
Published
2022-10-14 19:48
Modified
2024-09-16 23:05
Severity ?
EPSS score ?
Summary
Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user\u0027s minor feature. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Improper Access Control Security feature bypass"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2022-35689",
"datePublished": "2022-10-14T19:48:16.881622Z",
"dateReserved": "2022-07-12T00:00:00",
"dateUpdated": "2024-09-16T23:05:52.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22247
Vulnerability from cvelistv5
Published
2023-03-27 00:00
Modified
2024-08-02 10:07
Severity ?
EPSS score ?
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection) (CWE-91)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce XML Injection Arbitrary file system read"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22247",
"datePublished": "2023-03-27T00:00:00",
"dateReserved": "2022-12-19T00:00:00",
"dateUpdated": "2024-08-02T10:07:05.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36044
Vulnerability from cvelistv5
Published
2021-09-01 14:32
Modified
2024-09-16 19:57
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:32:31",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce GraphQL Improper Input Validation Could Lead To Denial Of Service",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36044",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce GraphQL Improper Input Validation Could Lead To Denial Of Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36044",
"datePublished": "2021-09-01T14:32:31.895533Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T19:57:02.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36035
Vulnerability from cvelistv5
Published
2021-09-01 14:30
Modified
2024-09-16 23:31
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.230Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:30:48",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Stock Media Improper Input Validation Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36035",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Stock Media Improper Input Validation Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36035",
"datePublished": "2021-09-01T14:30:48.954216Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T23:31:45.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36029
Vulnerability from cvelistv5
Published
2021-09-01 14:29
Modified
2024-09-16 19:46
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization (CWE-285)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:29:55",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Improper Authorization Vulnerability Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36029",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Improper Authorization Vulnerability Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization (CWE-285)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36029",
"datePublished": "2021-09-01T14:29:55.051477Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T19:46:09.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36012
Vulnerability from cvelistv5
Published
2021-09-01 14:28
Modified
2024-09-17 02:16
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-840",
"description": "Business Logic Errors (CWE-840)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:28:16",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Gift Card Business Logic Error",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36012",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Gift Card Business Logic Error"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Business Logic Errors (CWE-840)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36012",
"datePublished": "2021-09-01T14:28:16.253218Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T02:16:51.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36041
Vulnerability from cvelistv5
Published
2021-09-01 14:31
Modified
2024-09-17 04:04
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the 'pub/media` directory could lead to remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the \u0027pub/media` directory could lead to remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:31:14",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Improper Input Validation Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36041",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Improper Input Validation Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the \u0027pub/media` directory could lead to remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36041",
"datePublished": "2021-09-01T14:31:14.142861Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T04:04:02.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24093
Vulnerability from cvelistv5
Published
2023-09-12 07:36
Modified
2024-08-03 03:59
Severity ?
EPSS score ?
Summary
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb22-13.html | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Adobe Commerce |
Version: 0 ≤ 2.3.7-p2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-13.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.3.7-p2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2022-04-12T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "HIGH",
"modifiedScope": "NOT_DEFINED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "HIGH",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-12T07:36:03.118Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb22-13.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce post-auth improper input validation leads to remote code execution"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2022-24093",
"datePublished": "2023-09-12T07:36:03.118Z",
"dateReserved": "2022-01-27T20:47:58.755Z",
"dateUpdated": "2024-08-03T03:59:23.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-21012
Vulnerability from cvelistv5
Published
2021-01-13 22:35
Modified
2024-09-16 17:33
Severity ?
EPSS score ?
Summary
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-08.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.0-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-17T21:00:03",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-02-09T23:00:00.000Z",
"ID": "CVE-2021-21012",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.1"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.0-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.6"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "None",
"attackVector": "None",
"availabilityImpact": "None",
"baseScore": 5.3,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "None",
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-21012",
"datePublished": "2021-01-13T22:35:38.509589Z",
"dateReserved": "2020-12-18T00:00:00",
"dateUpdated": "2024-09-16T17:33:28.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36043
Vulnerability from cvelistv5
Published
2021-09-01 14:31
Modified
2024-09-16 20:36
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.512Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF) (CWE-918)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:31:38",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Authenticated Blind SSRF Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36043",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Authenticated Blind SSRF Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "High",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) (CWE-918)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36043",
"datePublished": "2021-09-01T14:31:38.272830Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T20:36:46.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36034
Vulnerability from cvelistv5
Published
2021-09-01 14:28
Modified
2024-09-16 16:42
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:28:46",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Improper Input Validation Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36034",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Improper Input Validation Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36034",
"datePublished": "2021-09-01T14:28:46.348481Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T16:42:50.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22251
Vulnerability from cvelistv5
Published
2023-03-27 00:00
Modified
2024-08-02 10:07
Severity ?
EPSS score ?
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Incorrect Authorization Security feature bypass"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22251",
"datePublished": "2023-03-27T00:00:00",
"dateReserved": "2022-12-19T00:00:00",
"dateUpdated": "2024-08-02T10:07:05.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36025
Vulnerability from cvelistv5
Published
2021-09-01 14:31
Modified
2024-09-17 00:21
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can leverage this vulnerability to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer\u0027s details with a specially crafted file. An authenticated attacker with admin privileges can leverage this vulnerability to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:31:02",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Customer Edition Improper Input Validation Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36025",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Customer Edition Improper Input Validation Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer\u0027s details with a specially crafted file. An authenticated attacker with admin privileges can leverage this vulnerability to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36025",
"datePublished": "2021-09-01T14:31:02.108466Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T00:21:57.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39864
Vulnerability from cvelistv5
Published
2021-10-15 14:21
Modified
2024-09-17 01:07
Severity ?
EPSS score ?
Summary
Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-86.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:20:33.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-86.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF) (CWE-352)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-15T14:21:43",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-86.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Cart Addition",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-10-12T23:00:00.000Z",
"ID": "CVE-2021-39864",
"STATE": "PUBLIC",
"TITLE": "Adobe Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Cart Addition"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.3"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p2"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7-p1"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) (CWE-352)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-86.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-86.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-39864",
"datePublished": "2021-10-15T14:21:43.419320Z",
"dateReserved": "2021-08-23T00:00:00",
"dateUpdated": "2024-09-17T01:07:10.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36037
Vulnerability from cvelistv5
Published
2021-09-01 14:28
Modified
2024-09-17 03:44
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization (CWE-285)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:28:24",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Improper Authorization Vulnerability Could Lead To Information Exposure",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36037",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Improper Authorization Vulnerability Could Lead To Information Exposure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization (CWE-285)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36037",
"datePublished": "2021-09-01T14:28:24.437134Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T03:44:08.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36039
Vulnerability from cvelistv5
Published
2021-09-01 14:30
Modified
2024-09-16 23:21
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:30:01",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce `quoteId` parameter Incorrect Authorization Vulnerability Could Lead To Information Disclosure",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36039",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce `quoteId` parameter Incorrect Authorization Vulnerability Could Lead To Information Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36039",
"datePublished": "2021-09-01T14:30:01.556748Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T23:21:57.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36038
Vulnerability from cvelistv5
Published
2021-09-01 14:29
Modified
2024-09-16 20:28
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:29:34",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Multishipping Module Improper Input Validation Could Lead To Information Exposure",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36038",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Multishipping Module Improper Input Validation Could Lead To Information Exposure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36038",
"datePublished": "2021-09-01T14:29:34.101278Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T20:28:00.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36027
Vulnerability from cvelistv5
Published
2021-09-01 14:32
Modified
2024-09-16 20:47
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:32:00",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Stored Cross-site Scripting Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36027",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Stored Cross-site Scripting Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (Stored XSS) (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36027",
"datePublished": "2021-09-01T14:32:00.605315Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T20:47:32.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36028
Vulnerability from cvelistv5
Published
2021-09-01 14:28
Modified
2024-09-16 23:20
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection) (CWE-91)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:28:56",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce XML Injection Vulnerability Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36028",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce XML Injection Vulnerability Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML Injection (aka Blind XPath Injection) (CWE-91)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36028",
"datePublished": "2021-09-01T14:28:56.481294Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T23:20:58.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36042
Vulnerability from cvelistv5
Published
2021-09-01 14:31
Modified
2024-09-17 01:25
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:31:24",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce API File Option Upload Extension Improper Input Validation Vulnerability Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36042",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce API File Option Upload Extension Improper Input Validation Vulnerability Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36042",
"datePublished": "2021-09-01T14:31:24.882861Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T01:25:59.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36020
Vulnerability from cvelistv5
Published
2021-09-01 14:30
Modified
2024-09-16 23:31
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.492Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the \u0027City\u0027 field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection) (CWE-91)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:30:56",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce XML Injection Vulnerability In The \u0027City\u0027 Field Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36020",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce XML Injection Vulnerability In The \u0027City\u0027 Field Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the \u0027City\u0027 field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 8.2,
"baseSeverity": "High",
"confidentialityImpact": "High",
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML Injection (aka Blind XPath Injection) (CWE-91)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36020",
"datePublished": "2021-09-01T14:30:56.497937Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T23:31:49.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36032
Vulnerability from cvelistv5
Published
2021-09-01 14:29
Modified
2024-09-17 02:56
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:29:40",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Improper Input Validation Could Lead To Information Exposure and Privilege Escalation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36032",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Improper Input Validation Could Lead To Information Exposure and Privilege Escalation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "Low",
"baseScore": 8.3,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36032",
"datePublished": "2021-09-01T14:29:40.817356Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T02:56:51.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36024
Vulnerability from cvelistv5
Published
2021-09-01 14:30
Modified
2024-09-16 18:12
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) (CWE-78)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:30:42",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Improper Neutralization of Special Elements Used In A Command",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36024",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Improper Neutralization of Special Elements Used In A Command"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) (CWE-78)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36024",
"datePublished": "2021-09-01T14:30:42.976718Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T18:12:50.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36040
Vulnerability from cvelistv5
Published
2021-09-01 14:31
Modified
2024-09-17 01:35
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:31:07",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Improper Input Validation Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36040",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Improper Input Validation Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36040",
"datePublished": "2021-09-01T14:31:07.265053Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T01:35:35.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36022
Vulnerability from cvelistv5
Published
2021-09-01 14:28
Modified
2024-09-16 17:38
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) (CWE-78)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:28:37",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Widgets Update Layout XML Injection Vulnerability Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36022",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Widgets Update Layout XML Injection Vulnerability Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) (CWE-78)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36022",
"datePublished": "2021-09-01T14:28:37.462873Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T17:38:47.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36031
Vulnerability from cvelistv5
Published
2021-09-01 14:30
Modified
2024-09-17 03:02
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:30:35",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Path Traversal In `theme[preview_image]` Parameter Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36031",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Path Traversal In `theme[preview_image]` Parameter Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 7.2,
"baseSeverity": "High",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36031",
"datePublished": "2021-09-01T14:30:35.018817Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T03:02:41.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36033
Vulnerability from cvelistv5
Published
2021-09-01 14:28
Modified
2024-09-16 23:21
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection) (CWE-91)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:28:30",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Widgets Module XML Injection Vulnerability Could Lead To Remote Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36033",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Widgets Module XML Injection Vulnerability Could Lead To Remote Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML Injection (aka Blind XPath Injection) (CWE-91)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36033",
"datePublished": "2021-09-01T14:28:30.908518Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-16T23:21:27.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22249
Vulnerability from cvelistv5
Published
2023-03-27 00:00
Modified
2024-08-02 10:07
Severity ?
EPSS score ?
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Stored XSS Arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22249",
"datePublished": "2023-03-27T00:00:00",
"dateReserved": "2022-12-19T00:00:00",
"dateUpdated": "2024-08-02T10:07:05.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36026
Vulnerability from cvelistv5
Published
2021-09-01 14:29
Modified
2024-09-17 03:48
Severity ?
EPSS score ?
Summary
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://helpx.adobe.com/security/products/magento/apsb21-64.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.2-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T14:29:48",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Stored Cross-site Scripting Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-08-10T23:00:00.000Z",
"ID": "CVE-2021-36026",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Stored Cross-site Scripting Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.2"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.2-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.7"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "Low",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"userInteraction": "Required",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (Stored XSS) (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-64.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-36026",
"datePublished": "2021-09-01T14:29:48.434043Z",
"dateReserved": "2021-06-30T00:00:00",
"dateUpdated": "2024-09-17T03:48:19.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}