Vulnerability Details : CVE-2021-36020
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2021-36020
Probability of exploitation activity in the next 30 days: 0.37%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 72 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-36020
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
3.9
|
4.2
|
Adobe Systems Incorporated |
CWE ids for CVE-2021-36020
-
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Assigned by:
- nvd@nist.gov (Primary)
- psirt@adobe.com (Secondary)
References for CVE-2021-36020
-
https://helpx.adobe.com/security/products/magento/apsb21-64.html
Adobe Security BulletinPatch;Vendor Advisory
Products affected by CVE-2021-36020
- cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_commerce:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_commerce:2.4.2:p1:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:magento_open_source:2.4.2:p1:*:*:*:*:*:*