CVSS: 9.1EPSS: 2%CPEs: 10EXPL: 0CVE-2021-21024 – Magento Commerce Blind SQL Injection Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21024
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de inyección SQL ciega ... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21026 – Magento Commerce Incorrect permissions Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21026
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de autorizaci... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-285: Improper Authorization •
CVSS: 4.8EPSS: 2%CPEs: 10EXPL: 0CVE-2021-21023 – Magento Commerce Stored Cross Site Scripting Vulnerability Could Lead To Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2021-21023
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son susceptibles a una vulnerabilidad de tipo cross-site scripting almac... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21022 – Magento Commerce Incorrect permissions Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21022
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una referencia directa a objeto no segura (IDOR) en el módulo del producto. Una explotación con éxito podría conllevar a un acces... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.1EPSS: 6%CPEs: 10EXPL: 0CVE-2021-21030 – Magento Commerce Stored Cross-site Scripting Could Lead To Arbitrary Javascript Execution
https://notcve.org/view.php?id=CVE-2021-21030
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a un ataque de tipo cross-site scripting (XSS) almacenado en ... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21027 – Magento Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Data Modification
https://notcve.org/view.php?id=CVE-2021-21027
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de ... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21031 – Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21031
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), no invalidan adecuadamente las sesiones de usuario. Una explotación con éxito podría conllevar a un acceso no auto... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-613: Insufficient Session Expiration •
CVSS: 4.8EPSS: 50%CPEs: 10EXPL: 1CVE-2021-21029 – Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution
https://notcve.org/view.php?id=CVE-2021-21029
10 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de tipo Cross-site Scripting Ref... • https://packetstorm.news/files/id/161364 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21013 – Magento Commerce Insecure Direct Object Reference Could Lead To Information Disclosure
https://notcve.org/view.php?id=CVE-2021-21013
13 Jan 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's account. Las versiones de Magento 2.4.1 (y anteriores), 2.4.0-p1 (y anteriores) y 2.3.6 (y anteriores) son vulnerables a una vulnerabilidad de objeto directo inseguro (IDOR) en el módulo API de cliente. Una explo... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-24404 – Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API
https://notcve.org/view.php?id=CVE-2020-24404
09 Nov 2020 — Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization. Magento versiones 2.4.0 y 2.3.5p1 (y anteriores) están afectadas por una vulnerabilidad de permisos incorrectos dentro del componente Integrations. Esta vulnerabilidad podría ser abusada por usuarios con permisos en el recurso... • https://helpx.adobe.com/security/products/magento/apsb20-59.html • CWE-285: Improper Authorization •