CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21022 – Magento Commerce Incorrect permissions Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21022
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una referencia directa a objeto no segura (IDOR) en el módulo del producto. Una explotación con éxito podría conllevar a un acces... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.1EPSS: 6%CPEs: 10EXPL: 0CVE-2021-21030 – Magento Commerce Stored Cross-site Scripting Could Lead To Arbitrary Javascript Execution
https://notcve.org/view.php?id=CVE-2021-21030
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a un ataque de tipo cross-site scripting (XSS) almacenado en ... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21027 – Magento Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Data Modification
https://notcve.org/view.php?id=CVE-2021-21027
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de ... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21031 – Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21031
11 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), no invalidan adecuadamente las sesiones de usuario. Una explotación con éxito podría conllevar a un acceso no auto... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-613: Insufficient Session Expiration •
CVSS: 4.8EPSS: 50%CPEs: 10EXPL: 1CVE-2021-21029 – Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution
https://notcve.org/view.php?id=CVE-2021-21029
10 Feb 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de tipo Cross-site Scripting Ref... • https://packetstorm.news/files/id/161364 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21013 – Magento Commerce Insecure Direct Object Reference Could Lead To Information Disclosure
https://notcve.org/view.php?id=CVE-2021-21013
13 Jan 2021 — Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's account. Las versiones de Magento 2.4.1 (y anteriores), 2.4.0-p1 (y anteriores) y 2.3.6 (y anteriores) son vulnerables a una vulnerabilidad de objeto directo inseguro (IDOR) en el módulo API de cliente. Una explo... • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15244 – RCE in Magento
https://notcve.org/view.php?id=CVE-2020-15244
21 Oct 2020 — In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4. En Magento (paquete rubygems openmage/magento-lts) versiones anteriores a 19.4.8 y 20.0.4, un usuario administrador puede generar credenciales soap que pueden ser usadas para activar una RCE por medio de la inyección de objetos PHP... • https://github.com/OpenMage/magento-lts • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •