Vulnerability Details : CVE-2021-36023
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
Vulnerability category: Execute code
Products affected by CVE-2021-36023
- cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
- cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*
- cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
- cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*
- cpe:2.3:a:magento:magento:2.3.7:-:*:*:commerce:*:*:*
- cpe:2.3:a:magento:magento:2.3.7:-:*:*:open_source:*:*:*
- cpe:2.3:a:magento:magento:2.4.2:-:*:*:commerce:*:*:*
- cpe:2.3:a:magento:magento:2.4.2:-:*:*:open_source:*:*:*
- cpe:2.3:a:magento:magento:2.4.2:p1:*:*:commerce:*:*:*
- cpe:2.3:a:magento:magento:2.4.2:p1:*:*:open_source:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-36023
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-36023
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
Adobe Systems Incorporated |
CWE ids for CVE-2021-36023
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: psirt@adobe.com (Primary)
References for CVE-2021-36023
-
https://helpx.adobe.com/security/products/magento/apsb21-64.html
Adobe Security BulletinVendor Advisory
Jump to