Total
32 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-36031 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution. | |||||
CVE-2021-36043 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 6.0 MEDIUM | 6.6 MEDIUM |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled. | |||||
CVE-2021-36033 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. | |||||
CVE-2021-36032 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation. | |||||
CVE-2021-36035 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution. | |||||
CVE-2021-36037 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure. | |||||
CVE-2021-36027 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
CVE-2021-36039 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information. | |||||
CVE-2021-36041 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the 'pub/media` directory could lead to remote code execution. | |||||
CVE-2021-36024 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution. | |||||
CVE-2021-36025 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can leverage this vulnerability to achieve remote code execution. | |||||
CVE-2021-21012 | 1 Adobe | 2 Magento Commerce, Magento Open Source | 2023-12-10 | 4.3 MEDIUM | 5.3 MEDIUM |
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure. |