CVSS: 9.1EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21019 – Magento Commerce XML Injection Could Lead To Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-21019
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una inyección de XML en el módulo Widgets. Una explotación con éxito podría conllevar a una ejecución de código arbitraria por parte de un atacante autenticado. • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21020 – Magento Commerce Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2021-21020
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son susceptibles a una vulnerabilidad de omisión del control de acceso en el módulo Login as Customer. Una explotación con éxito podría conllevar a un acceso no autorizado a recursos restringidos • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21024 – Magento Commerce Blind SQL Injection Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21024
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de inyección SQL ciega en el módulo Search. Una explotación con éxito podría conllevar a un acceso no autorizado a recursos restringidos por parte de un atacante no autenticado. • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21026 – Magento Commerce Incorrect permissions Could Lead To Unauthorized Access
https://notcve.org/view.php?id=CVE-2021-21026
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), están afectadas por una vulnerabilidad de autorización inapropiada en el módulo de integraciones. Una explotación con éxito podría conllevar a un acceso no autorizado a recursos restringidos por parte de un atacante no autenticado. • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-285: Improper Authorization •
CVSS: 4.8EPSS: 0%CPEs: 10EXPL: 0CVE-2021-21023 – Magento Commerce Stored Cross Site Scripting Vulnerability Could Lead To Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2021-21023
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation. Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son susceptibles a una vulnerabilidad de tipo cross-site scripting almacenado en la consola de administración. Una explotación con éxito podría conllevar a una ejecución arbitraria de JavaScript en el navegador de la víctima. • https://helpx.adobe.com/security/products/magento/apsb21-08.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •