CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Magento : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-28585 20 2021-06-28 2021-07-06
5.0
None Remote Low Not required None Partial None
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails.
2 CVE-2021-28584 22 Dir. Trav. 2021-06-28 2021-07-06
6.5
None Remote Low ??? Partial Partial Partial
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required for successful exploitation.
3 CVE-2021-28583 657 2021-06-28 2021-07-06
4.3
None Remote Medium Not required Partial None None
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources.
4 CVE-2021-28567 863 2021-09-08 2021-09-14
4.0
None Remote Low ??? None Partial None
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation.
5 CVE-2021-28566 200 +Info 2021-09-08 2021-09-14
4.0
None Remote Low ??? Partial None None
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
6 CVE-2021-28563 285 2021-06-28 2021-07-02
6.4
None Remote Low Not required Partial Partial None
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
7 CVE-2021-28556 79 XSS 2021-06-28 2021-07-02
3.5
None Remote Medium ??? None Partial None
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for successful exploitation.
8 CVE-2021-21064 22 Dir. Trav. 2021-02-25 2021-03-02
4.0
None Remote Low ??? Partial None None
Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which allows reading arbitrary files from the remote server. Access to the admin console is required for successful exploitation.
9 CVE-2021-21032 613 2021-02-11 2021-02-16
7.5
None Remote Low Not required Partial Partial Partial
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
10 CVE-2021-21031 613 2021-02-11 2021-02-16
7.5
None Remote Low Not required Partial Partial Partial
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
11 CVE-2021-21030 79 XSS 2021-02-11 2021-02-16
4.3
None Remote Medium Not required None Partial None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction.
12 CVE-2021-21029 79 XSS 2021-02-11 2021-06-11
3.5
None Remote Medium ??? None Partial None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.
13 CVE-2021-21027 352 CSRF 2021-02-11 2021-02-16
4.3
None Remote Medium Not required None Partial None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.
14 CVE-2021-21026 285 2021-02-11 2021-02-16
4.0
None Remote Low ??? Partial None None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
15 CVE-2021-21025 91 Exec Code 2021-02-11 2021-02-16
6.5
None Remote Low ??? Partial Partial Partial
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
16 CVE-2021-21024 89 Sql 2021-02-11 2021-02-16
6.5
None Remote Low ??? Partial Partial Partial
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
17 CVE-2021-21023 79 XSS 2021-02-11 2021-02-16
3.5
None Remote Medium ??? None Partial None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.
18 CVE-2021-21022 285 2021-02-11 2021-02-16
4.3
None Remote Medium Not required Partial None None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.
19 CVE-2021-21020 284 Bypass 2021-02-11 2021-02-16
4.3
None Remote Medium Not required None Partial None
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources.
20 CVE-2021-21019 91 Exec Code 2021-02-11 2021-02-16
6.5
None Remote Low ??? Partial Partial Partial
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
21 CVE-2021-21018 78 Exec Code 2021-02-11 2021-02-16
9.0
None Remote Low ??? Complete Complete Complete
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
22 CVE-2021-21016 78 Exec Code 2021-02-11 2021-02-16
9.0
None Remote Low ??? Complete Complete Complete
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
23 CVE-2021-21015 78 Exec Code 2021-02-11 2021-02-16
8.5
None Remote Medium ??? Complete Complete Complete
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
24 CVE-2021-21014 434 Exec Code Bypass 2021-02-11 2021-02-16
6.5
None Remote Low ??? Partial Partial Partial
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
25 CVE-2020-24408 79 XSS 2020-10-16 2021-03-25
4.3
None Remote Medium Not required None Partial None
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.
26 CVE-2020-24407 434 Exec Code 2020-11-09 2020-11-12
9.0
None Remote Low ??? Complete Complete Complete
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
27 CVE-2020-24406 22 Dir. Trav. 2020-11-09 2020-11-12
4.3
None Remote Medium Not required Partial None None
When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.
28 CVE-2020-24405 285 2020-11-09 2020-11-12
4.0
None Remote Low ??? None Partial None
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.
29 CVE-2020-24404 285 2020-11-09 2020-11-12
5.5
None Remote Low ??? None Partial Partial
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.
30 CVE-2020-24403 285 2020-11-09 2020-11-12
4.0
None Remote Low ??? None Partial None
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.
31 CVE-2020-24402 285 2020-11-09 2020-11-12
5.5
None Remote Low ??? None Partial Partial
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.
32 CVE-2020-24401 863 2020-11-09 2020-11-12
5.5
None Remote Low ??? Partial Partial None
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
33 CVE-2020-24400 89 Sql 2020-11-09 2020-11-12
5.5
None Remote Low ??? Partial Partial None
Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.
34 CVE-2020-15151 352 CSRF 2020-08-20 2021-11-18
4.0
None Remote High Not required Partial Partial None
OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.
35 CVE-2020-9692 863 Exec Code Bypass 2020-07-29 2021-07-21
8.5
None Remote Medium ??? Complete Complete Complete
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
36 CVE-2020-9691 79 Exec Code XSS 2020-07-29 2020-07-29
9.3
None Remote Medium Not required Complete Complete Complete
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.
37 CVE-2020-9690 203 Bypass 2020-07-29 2020-07-30
3.5
None Remote Medium ??? None Partial None
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
38 CVE-2020-9689 22 Exec Code Dir. Trav. 2020-07-29 2020-07-30
8.5
None Remote Medium ??? Complete Complete Complete
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution.
39 CVE-2020-9665 79 XSS 2020-07-22 2020-07-24
4.3
None Remote Medium Not required None Partial None
Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
40 CVE-2020-9664 94 Exec Code 2020-07-22 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution.
41 CVE-2020-9632 Exec Code Bypass 2020-06-26 2020-07-02
10.0
None Remote Low Not required Complete Complete Complete
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
42 CVE-2020-9631 Exec Code Bypass 2020-06-26 2020-07-01
10.0
None Remote Low Not required Complete Complete Complete
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
43 CVE-2020-9630 269 2020-06-26 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation.
44 CVE-2020-9591 200 +Info 2020-06-26 2021-07-21
5.0
None Remote Low Not required Partial None None
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to unauthorized access to admin panel.
45 CVE-2020-9588 203 Bypass 2020-06-26 2020-07-01
6.5
None Remote Low ??? Partial Partial Partial
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
46 CVE-2020-9587 863 Bypass 2020-06-26 2021-07-21
5.0
None Remote Low Not required None Partial None
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.
47 CVE-2020-9585 Exec Code 2020-06-26 2020-07-01
7.5
None Remote Low Not required Partial Partial Partial
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.
48 CVE-2020-9584 79 XSS 2020-06-26 2020-06-30
3.5
None Remote Medium ??? None Partial None
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
49 CVE-2020-9583 78 Exec Code 2020-06-26 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
50 CVE-2020-9582 78 Exec Code 2020-06-26 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
Total number of vulnerabilities : 212   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.