CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21022 – Magento Commerce Incorrect permissions Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21022
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una referencia directa a objeto no segura (IDOR) en el módulo del producto. Una explotación con éxito podría conllevar a un acces... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.1EPSS: 6%CPEs: 10EXPL: 0CVE-2021-21030 – Magento Commerce Stored Cross-site Scripting Could Lead To Arbitrary Javascript Execution
https://notcve.org/view.php?id=CVE-2021-21030
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a un ataque de tipo cross-site scripting (XSS) almacenado en ... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21027 – Magento Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Data Modification
https://notcve.org/view.php?id=CVE-2021-21027
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de ... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21031 – Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21031
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), no invalidan adecuadamente las sesiones de usuario. Una explotación con éxito podría conllevar a un acceso no auto... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-613: Insufficient Session Expiration •
CVSS: 4.8EPSS: 50%CPEs: 10EXPL: 1CVE-2021-21029 – Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution
https://notcve.org/view.php?id=CVE-2021-21029
10 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de tipo Cross-site Scripting Ref... • https://packetstorm.news/files/id/161364 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21013 – Magento Commerce Insecure Direct Object Reference Could Lead To Information Disclosure
https://notcve.org/view.php?id=CVE-2021-21013
13 Jan 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's account. Las versiones de Magento 2.4.1 (y anteriores), 2.4.0-p1 (y anteriores) y 2.3.6 (y anteriores) son vulnerables a una vulnerabilidad de objeto directo inseguro (IDOR) en el módulo API de cliente. Una explo... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-24404 – Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API
https://notcve.org/view.php?id=CVE-2020-24404
09 Nov 2020 — Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization. Magento versiones 2.4.0 y 2.3.5p1 (y anteriores) están afectadas por una vulnerabilidad de permisos incorrectos dentro del componente Integrations. Esta vulnerabilidad podría ser abusada por usuarios con permisos en el recurso... • https://helpx.adobe.com/security/products/magento/apsb20-59.html • CWE-285: Improper Authorization •
CVSS: 9.1EPSS: 2%CPEs: 8EXPL: 0CVE-2020-24407 – Arbitrary code execution via file import functionality
https://notcve.org/view.php?id=CVE-2020-24407
09 Nov 2020 — Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components. Magento versiones 2.4.0 y 2.3.5p1 (y anteriores) están afectadas por una vulnerabilidad de carga de archivos no segura que podría resultar en una ejecución de código arbitraria. Esta vulnerabilidad podría ser abusada p... • https://helpx.adobe.com/security/products/magento/apsb20-59.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-24406 – Document root path disclosure on Maintenance page
https://notcve.org/view.php?id=CVE-2020-24406
09 Nov 2020 — When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment. Cuando está en modo de mantenimiento, Magento versiones 2.4.0 y 2.3.4 (y anteriores) están afectadas por una vulnerabilidad de divulgación de información que podría exponer la ruta de inst... • https://helpx.adobe.com/security/products/magento/apsb20-59.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2020-24405 – Incorrect permissions in Inventory module could lead to unauthorized modification of inventory stock data
https://notcve.org/view.php?id=CVE-2020-24405
09 Nov 2020 — Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization. Magento versiones 2.4.0 y 2.3.5p1 (y anteriores), están afectadas por una vulnerabilidad de problema de permisos incorrectos en el módulo Inventory. Esta vulnerabilidad podría ser abusada por parte de unos usuarios autentificados para modificar los datos de las... • https://helpx.adobe.com/security/products/magento/apsb20-59.html • CWE-285: Improper Authorization •