Magento Commerce

CVEs (23)

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2021-36020	Adobe Inc. Magento Commerce	0.02	—	0.31	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
CVE-2021-36023	Adobe Inc. Commerce	0.01	—	0.13	Sep 6, 2023	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
CVE-2021-36035	Adobe Inc. Magento Commerce	0.01	—	0.07	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution.
CVE-2021-36024	Adobe Inc. Magento Commerce	0.01	—	0.09	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file…
CVE-2021-36031	Adobe Inc. Magento Commerce	0.01	—	0.10	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code…
CVE-2021-36028	Adobe Inc. Magento Commerce	0.01	—	0.11	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code…
CVE-2021-36022	Adobe Inc. Magento Commerce	0.01	—	0.11	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
CVE-2021-36033	Adobe Inc. Magento Commerce	0.01	—	0.11	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
CVE-2021-36044	Adobe Inc. Magento Commerce	0.00	—	0.02	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field.
CVE-2021-36027	Adobe Inc. Magento Commerce	0.00	—	0.02	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…
CVE-2021-36043	Adobe Inc. Magento Commerce	0.00	—	0.03	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be…
CVE-2021-36042	Adobe Inc. Magento Commerce	0.00	—	0.04	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can…
CVE-2021-36030	Adobe Inc. Magento Commerce	0.00	—	0.01	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items.
CVE-2021-36040	Adobe Inc. Magento Commerce	0.00	—	0.03	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to…
CVE-2021-36025	Adobe Inc. Magento Commerce	0.00	—	0.05	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can leverage…
CVE-2021-36039	Adobe Inc. Magento Commerce	0.00	—	0.01	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information.
CVE-2021-36029	Adobe Inc. Magento Commerce	0.00	—	0.03	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
CVE-2021-36026	Adobe Inc. Magento Commerce	0.00	—	0.02	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form…
CVE-2021-36032	Adobe Inc. Magento Commerce	0.00	—	0.01	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve…
CVE-2021-36038	Adobe Inc. Magento Commerce	0.00	—	0.01	Sep 1, 2021	Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information…

CVE-2021-36020Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.02cvss —epss 0.31
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
CVE-2021-36023Sep 6, 2023
Adobe Inc.
Commerce
risk 0.01cvss —epss 0.13
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
CVE-2021-36035Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.01cvss —epss 0.07
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could make a crafted request to the Adobe Stock API to achieve remote code execution.
CVE-2021-36024Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.01cvss —epss 0.09
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file…
CVE-2021-36031Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.01cvss —epss 0.10
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code…
CVE-2021-36028Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.01cvss —epss 0.11
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code…
CVE-2021-36022Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.01cvss —epss 0.11
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
CVE-2021-36033Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.01cvss —epss 0.11
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
CVE-2021-36044Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.02
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field.
CVE-2021-36027Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.02
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be…
CVE-2021-36043Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be…
CVE-2021-36042Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.04
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can…
CVE-2021-36030Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items.
CVE-2021-36040Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to…
CVE-2021-36025Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.05
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can leverage…
CVE-2021-36039Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information.
CVE-2021-36029Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.03
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
CVE-2021-36026Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.02
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form…
CVE-2021-36032Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve…
CVE-2021-36038Sep 1, 2021
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information…

Page 1 of 2