CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28566 – Magento Commerce information disclosure during upload action leveraging a specially crafted file
https://notcve.org/view.php?id=CVE-2021-28566
08 Sep 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), son susceptibles a una v... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32759 – Data Flow Sanitation Issue Fix
https://notcve.org/view.php?id=CVE-2021-32759
27 Aug 2021 — OpenMage magento-lts is an alternative to the Magento CE official releases. Due to missing sanitation in data flow in versions prior to 19.4.15 and 20.0.13, it was possible for admin users to upload arbitrary executable files to the server. OpenMage versions 19.4.15 and 20.0.13 have a patch for this Issue. OpenMage magento-lts es una alternativa a las versiones oficiales de Magento CE. Debido a una falta de saneamiento en el flujo de datos en las versiones anteriores a 19.4.15 y 20.0.13, era posible que los... • https://github.com/OpenMage/magento-lts/releases/tag/v19.4.15 • CWE-20: Improper Input Validation •
CVSS: 7.2EPSS: 0%CPEs: 12EXPL: 0CVE-2021-28584 – Magento Commerce path traversal vulnerability in child theme store creation
https://notcve.org/view.php?id=CVE-2021-28584
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad de Salto de Ruta cuando... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 12EXPL: 0CVE-2021-28585 – Magento Commerce improper input validation in customer customer webapi
https://notcve.org/view.php?id=CVE-2021-28585
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad de comprobación inapropiada de entrada en la WebAPI de nuevos clientes. Una explotación con éxito podría p... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2021-28583 – Magento Commerce insecure storage of sensitive documentation
https://notcve.org/view.php?id=CVE-2021-28583
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad de Violation of Secure Design Principles en los formatos de nombre de archi... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-657: Violation of Secure Design Principles •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-28563 – Magento Commerce improper Authorization via the 'Create Customer' endpoint
https://notcve.org/view.php?id=CVE-2021-28563
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad ... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-285: Improper Authorization •
CVSS: 6.9EPSS: 39%CPEs: 4EXPL: 0CVE-2021-28556 – Magento Commerce DOM-based cross-site scripting (XSS) could lead to arbitrary javascript execution
https://notcve.org/view.php?id=CVE-2021-28556
28 Jun 2021 — Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), están afectadas por una vulnerabilidad de tipo Cross-Site Scripti... • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21427 – Backport for CVE-2021-21024 Blind SQLi from Magento 2
https://notcve.org/view.php?id=CVE-2021-21427
21 Apr 2021 — Magento-lts is a long-term support alternative to Magento Community Edition (CE). A vulnerability in magento-lts versions before 19.4.13 and 20.0.9 potentially allows an administrator unauthorized access to restricted resources. This is a backport of CVE-2021-21024. The vulnerability is patched in versions 19.4.13 and 20.0.9. Magento-lts es una alternativa de soporte a largo plazo a Magento Community Edition (CE). • https://github.com/OpenMage/magento-lts/security/advisories/GHSA-fvrf-9428-527m • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21426 – Fixes a bug in Zend Framework's Stream HTTP Wrapper
https://notcve.org/view.php?id=CVE-2021-21426
21 Apr 2021 — Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework. Magento-lts es una alternativa de soporte a largo plazo a Magento Community Edition (CE). • https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98c • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 0%CPEs: 10EXPL: 1CVE-2021-21014 – Magento Commerce Arbitrary Folder Empty Could Lead To Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2021-21014
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una omisión de restricción de la carga de archivos. Una explotación con éxito podr... • https://github.com/HoangKien1020/CVE-2021-21014 • CWE-434: Unrestricted Upload of File with Dangerous Type •