CVSS: 4.8EPSS: 44%CPEs: 20EXPL: 0CVE-2022-34258 – Adobe Commerce Stored XSS Arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-34258
16 Aug 2022 — Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas po... • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 91%CPEs: 14EXPL: 10CVE-2022-24086 – Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2022-24086
16 Feb 2022 — Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution. Adobe Commerce versiones 2.4.3-p1 (y anteriores) y 2.3.7-p2 (y anteriores), están afectadas por una vulnerabilidad de comprobación de entrada inapropiada durante el proceso de compra. Una explotación de este problema no requiere la interacción... • https://github.com/Mr-xn/CVE-2022-24086 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28567 – Magento Commerce improper authorization allows an authenticated user to perform certain functions without permission
https://notcve.org/view.php?id=CVE-2021-28567
08 Sep 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), son susceptibles a una vulnerabilidad de Autorización Inapropiada en el módulo... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28566 – Magento Commerce information disclosure during upload action leveraging a specially crafted file
https://notcve.org/view.php?id=CVE-2021-28566
08 Sep 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), son susceptibles a una v... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 12EXPL: 0CVE-2021-28584 – Magento Commerce path traversal vulnerability in child theme store creation
https://notcve.org/view.php?id=CVE-2021-28584
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad de Salto de Ruta cuando... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 12EXPL: 0CVE-2021-28585 – Magento Commerce improper input validation in customer customer webapi
https://notcve.org/view.php?id=CVE-2021-28585
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad de comprobación inapropiada de entrada en la WebAPI de nuevos clientes. Una explotación con éxito podría p... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2021-28583 – Magento Commerce insecure storage of sensitive documentation
https://notcve.org/view.php?id=CVE-2021-28583
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad de Violation of Secure Design Principles en los formatos de nombre de archi... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-657: Violation of Secure Design Principles •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-28563 – Magento Commerce improper Authorization via the 'Create Customer' endpoint
https://notcve.org/view.php?id=CVE-2021-28563
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad ... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-285: Improper Authorization •
CVSS: 6.9EPSS: 39%CPEs: 4EXPL: 0CVE-2021-28556 – Magento Commerce DOM-based cross-site scripting (XSS) could lead to arbitrary javascript execution
https://notcve.org/view.php?id=CVE-2021-28556
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad de tipo Cross-Site Scripti... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21064 – Magento UPWARD-php Path traversal vulnerability via UPWARD Connector
https://notcve.org/view.php?id=CVE-2021-21064
25 Feb 2021 — Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which allows reading arbitrary files from the remote server. Access to the admin console is required for successful exploitation. Magento UPWARD-php versiones 1.1.4 (y anteriores) está afectado por una vulnerabilidad ... • https://github.com/magento/upward-php/security • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •