CVE-2021-21025 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=0 <2.3.6-p1 || >=2.4.0 <2.4.1-p1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.04724 pctl0.8898

Details

Magento XPath Injection Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Metadata

Created: 2022-05-24T17:41:55Z
Modified: 2025-02-10T20:44:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h437-qjj9-vmq4/GHSA-h437-qjj9-vmq4.json
CWE IDs: ["CWE-91"]
Alternative ID: GHSA-h437-qjj9-vmq4
Finding: F021
Auto approve: 1