CVSS: 8.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-36036 – Magento Commerce Media Gallery Upload Improper Access Control Could Lead To Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-36036
06 Sep 2023 — Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution. Las versiones 2.4.2 (y anteriores), 2.4.2-p1 (y anteriores) y 2.3.7 (y anteriores) de Magento... • https://helpx.adobe.com/security/products/magento/apsb21-64.html • CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-36021 – Magento Commerce CMS Page Improper Input Validation Could Lead To Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-36021
06 Sep 2023 — Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability to achieve remote code execution on the system. Las versiones 2.4.2 (y anteriores), 2.4.2-p1 (y anteriores) y 2.3.7 (y anteriores) de Magento están afectadas por una vulnerabilidad de validación de entrada Incorrecta dentro de la fu... • https://helpx.adobe.com/security/products/magento/apsb21-64.html • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 1%CPEs: 10EXPL: 0CVE-2021-36023 – Magento Commerce Widgets Update Layout XML Injection Vulnerability Could Lead To Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-36023
06 Sep 2023 — Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Las versiones 2.4.2 (y anteriores), 2.4.2-p1 (y anteriores) y 2.3.7 (y anteriores) de Magento Commerce están afectadas por una vulnerabilidad de inyección XML en el diseño de actualización de widgets. Un atacante con privilegios de ad... • https://helpx.adobe.com/security/products/magento/apsb21-64.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 1%CPEs: 35EXPL: 0CVE-2023-29287 – Adobe Commerce Information Exposure Security feature bypass
https://notcve.org/view.php?id=CVE-2023-29287
15 Jun 2023 — Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Information Exposure vulnerability that could lead to a security feature bypass. An attacker could leverage this vulnerability to leak minor user data. Exploitation of this issue does not require user interaction.. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 35EXPL: 0CVE-2023-29288 – Adobe Commerce | Incorrect Authorization (CWE-863)
https://notcve.org/view.php?id=CVE-2023-29288
15 Jun 2023 — Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 1%CPEs: 35EXPL: 0CVE-2023-29289 – Adobe Commerce XML Injection Security feature bypass
https://notcve.org/view.php?id=CVE-2023-29289
15 Jun 2023 — Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature bypass. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 5.3EPSS: 0%CPEs: 35EXPL: 0CVE-2023-29290 – Adobe Commerce Guest Cart Shipping Address Overwrite IDOR
https://notcve.org/view.php?id=CVE-2023-29290
15 Jun 2023 — Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-353: Missing Support for Integrity Check •
CVSS: 6.1EPSS: 0%CPEs: 35EXPL: 0CVE-2023-29291 – Server Side Request Forgery (SSRF) in USPS carrier integration configuration
https://notcve.org/view.php?id=CVE-2023-29291
15 Jun 2023 — Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 35EXPL: 0CVE-2023-29292 – Server Side Request Forgery (SSRF) in FedEx carrier integration configuration
https://notcve.org/view.php?id=CVE-2023-29292
15 Jun 2023 — Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 3.3EPSS: 1%CPEs: 35EXPL: 0CVE-2023-29293 – Adobe Commerce | Improper Input Validation (CWE-20)
https://notcve.org/view.php?id=CVE-2023-29293
15 Jun 2023 — Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-20: Improper Input Validation •