CVE-2021-21019 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=0 <2.3.6-p1 || >=2.4.0 <2.4.1-p1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.03012 pctl0.86082

Details

Magento XML injection in the Widgets module Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Metadata

Created: 2022-05-24T17:41:56Z
Modified: 2024-01-10T20:09:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mw95-gmw4-883p/GHSA-mw95-gmw4-883p.json
CWE IDs: ["CWE-91"]
Alternative ID: GHSA-mw95-gmw4-883p
Finding: F083
Auto approve: 1