CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21027 – Magento Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Data Modification
https://notcve.org/view.php?id=CVE-2021-21027
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de tipo cross-site request forgery (CSRF) por medio de la API GraphQL. Una explotación con éxito podría conllevar a modificaciones no autorizadas de los metadatos del cliente por parte de un atacante no autenticado. • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21031 – Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21031
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), no invalidan adecuadamente las sesiones de usuario. Una explotación con éxito podría conllevar a un acceso no autorizado a recursos restringidos. • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-613: Insufficient Session Expiration •
CVSS: 4.8EPSS: 1%CPEs: 10EXPL: 0CVE-2021-21029 – Magento Commerce Reflected Cross-site Scripting Vulnerability Could Lead To Arbitrary JavaScript Execution
https://notcve.org/view.php?id=CVE-2021-21029
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de tipo Cross-site Scripting Reflejado por medio del parámetro "file". Una explotación con éxito podría conllevar a una ejecución arbitraria de JavaScript en el navegador de la víctima. • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21013 – Magento Commerce Insecure Direct Object Reference Could Lead To Information Disclosure
https://notcve.org/view.php?id=CVE-2021-21013
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's account. Las versiones de Magento 2.4.1 (y anteriores), 2.4.0-p1 (y anteriores) y 2.3.6 (y anteriores) son vulnerables a una vulnerabilidad de objeto directo inseguro (IDOR) en el módulo API de cliente. Una explotación exitosa podría llevar a la divulgación de información sensible y a la actualización de información arbitraria en la cuenta de otro usuario • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2020-24404 – Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API
https://notcve.org/view.php?id=CVE-2020-24404
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization. Magento versiones 2.4.0 y 2.3.5p1 (y anteriores) están afectadas por una vulnerabilidad de permisos incorrectos dentro del componente Integrations. Esta vulnerabilidad podría ser abusada por usuarios con permisos en el recurso Pages para eliminar páginas cms por medio de la API REST sin autorización • https://helpx.adobe.com/security/products/magento/apsb20-59.html • CWE-285: Improper Authorization •