Magento Commerce Stored Cross-site Scripting Vulnerability
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cross-site scripting vulnerability in Magento Commerce's customer address upload feature allows attackers to inject malicious scripts into form fields, executing JavaScript in victims' browsers.
Vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are affected by a stored cross-site scripting (XSS) vulnerability in the customer address upload feature. The vulnerability allows an attacker to inject malicious scripts into vulnerable form fields, which are then stored and executed when a victim views the page containing the field. [1]
Exploitation
An attacker with the ability to upload a customer address (e.g., a registered user) can inject malicious JavaScript into the address fields. The injected script is stored on the server and executed in the browser of any victim who navigates to the page displaying the vulnerable field. No additional user interaction beyond viewing the page is required. [1]
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser within the context of the Magento application. This can lead to session hijacking, defacement, theft of sensitive data, or other actions that the victim's browser can perform. [1]
Mitigation
No fixed version is disclosed in the available references. Users should monitor Adobe's security advisories for patches. As of the publication date, no workaround is mentioned. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8gfq-m4cf-w975ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36026ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.